Microsoft Revises Security Bulletins, Rating System

The company will make security bulletins more readable and add a fourth security rating-Important.

In the hopes of making its security bulletins more readable, Microsoft Corp. on Tuesday announced that it has revised the guidelines it uses to rate the severity of the security vulnerabilities in its products. The company will also establish a separate mailing list for end users who dont want or need all of the technical detail in the advisories it sends out to systems administrators and security specialists.

The changes are a result of feedback from customers who thought the bulletins were too detailed and confusing.

The Microsoft Security Response Center, which handles the investigation of any alleged vulnerabilities in the companys products, sends out an advisory to its Security Notification Service mailing list any time there is a confirmed flaw that might affect multiple customers. The list is open to anyone, but is made up mainly of highly technical users. As a result, the bulletins mailed out to the list include a lot of detail on the vulnerability itself, how it might be exploited and any mitigating factors.

Much of this information is lost on home users, who simply want to know about the problem and whether they need to install the patch.

"Customer feedback tells us that, while technical professionals value our security bulletins, many end-users find them overly detailed and confusing," Steve Lipner, director of security assurance at Microsoft, in Redmond, Wash., wrote in a message to the mailing list.

The new end-user bulletins will explain the problem and remediation measures in laymans terms.

The revised guidelines add a fourth severity rating—Important—between Critical and Moderate. Important vulnerabilities are defined as those "whose exploitation could result in compromise of the confidentiality, integrity or availability of users data, or of the integrity or availability of processing resources."

Microsoft implemented the rating system last year in an effort to give users a better idea of which vulnerabilities needed their immediate attention.