What Makes a Critical Vulnerability Critical?

The lack of standards or consistency in the industry makes prioritization difficult for IT. Microsoft's severity ratings are probably on target, but their definitions are obsolete.

Today's Patch Tuesday bulletins announced 11 vulnerabilities: four critical, six important, and one moderate. What do these terms mean?

You see severity ratings most of the time you see a vulnerability disclosure, but there are no hard standards for severity ratings. In fact some vendors-most infamously Apple-don't provide any severity ratings for their vulnerabilities. Not that Apple is a big issue for many enterprises, but the absence of severity ratings makes it difficult to prioritize patches.

Microsoft's definitions for their ratings were last updated November 2002, so they're pretty comfortable with them. Let's look at the definition of Critical: "A vulnerability whose exploitation could allow the propagation of an Internet worm without user action." That's pretty serious stuff. Sounds like Blaster and Code Red. Did four of this month's vulnerabilities really have the potential to result in Internet worms?

I'll go out on a limb and say no, but it depends on what you mean by Internet worm. I think of a program which spreads itself around without users taking any action, like Blaster or Slammer. Microsoft uses the term Critical often when user interaction is required.

Microsoft releases Patch Tuesday fixes with new Exploitability Index. Click here to read more.

Consider this month's critical update MS08-057 (Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution). This describes three vulnerabilities in Excel that result from opening a potentially malicious document. Only on Windows 2000 is it rated critical, since that version does not, by default, include the functionality of the Office Document Open Confirmation Tool for Office 2000, which forces confirmation for opening documents. This is not what makes an "Internet worm."

In fact, Microsoft has been ignoring its own definition of critical for years, as it should. There haven't been any real Internet worms for Windows in years, and nobody else restricts their definition of "critical" to such dire circumstances. Microsoft's Jeff Jones alludes to these points in a blog on severity ratings systems from last year.

I think for most vendors critical means remote code execution, but not to Microsoft, at least not officially. It's not hard to find Microsoft remote code execution vulnerabilities rated Important, such as MS08-049: Vulnerabilities in Event System Could Allow Remote Code Execution. I think the difference in MS08-049 is that the attacker has to be authenticated, which is a serious limitation in the attack.