Microsoft System Rates Vulnerabilities

Microsoft Corp. has unveiled a new vulnerability rating system that company officials hope will help systems administrators evaluate which problems need immediate attention and which ones can wait.

The severity rating system, announced by the companys Security Response Center, divides bulletins into three categories: critical, moderate and low. They are further subdivided by operating environment: Internet server, internal server and desktop.

For example, on Internet servers, critical flaws are problems that enable attacks such as denials-of-service or Web site defacements or that allow an intruder to gain full control of the server. A low severity rating would apply to flaws that have a limited impact, such as disclosing scripts.

The new system is the result of Microsofts conclusion that many administrators are too overloaded with work to sift through all of the security bulletins—including the 100 Microsoft issued last year.

Up until now, Microsoft, like virtually every other software vendor, has lumped all of its bulletins together without differentiating among those that could cripple a network and those that are mere nuisances.

"Both large and small customers encouraged us to add this sort of information to out bulletins to help them assess risk," the Microsoft advisory said.

In future bulletins, Microsoft will include information about the severity of each vulnerability as well as the system environment it affects. And the searchable database of bulletins on the Microsoft security Web site will be updated to enable users to browse alerts by environment or severity rating.

The Redmond, Wash., company will also include the rating system in its automated tools, such as Windows Update and HFNetChk.