What Makes a Critical Vulnerability Critical? - Page 2

So don't get me wrong, I think all of these vulnerabilities are properly rated, but it's the definition that's out of sync with reality. Microsoft's real definition of critical seems to be what they define as Important: "A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user's data, or of the integrity or availability of processing resources." Once again, it depends on how you define terms like "integrity," but I think it fits. And given the limitation for which Microsoft rated MS08-049 Important, I think its definition of Moderate applies well: "Exploitability is mitigated to a significant degree by factors such as default configuration, auditing or difficulty of exploitation."

I said before that there are no hard standards for severity ratings, but there are those of NIST, the National Institute of Standards and Technology for the NVD (National Vulnerability Database). The NIST/NVD standards, which are used in calculating CVSS scores, are broken down by a group of metrics, such as Au for the level of authentication needed for exploitation. Au can have the value N for None required, S for Single instance required or M for requires Multiple instances. Other metrics are more qualitative, such as AC for Access Complexity (required attack complexity), where the possible values are H for High, M for Medium or L for Low.

Linux vendors increase security features. Click here to find out more.

I can see the value in the NIST approach. In the end it is used to calculate a CVSS score that could serve the same simple rating role that vendor assertions of severity serve. For instance, the CVSS score for MS08-049, the one Microsoft rated Important, is 9.0 which NIST calls "High."

The Mozilla definitions can be found at the top of their advisory page. These are easier to understand, but probably a little too specific and simplistic. They have to do a lot of interpretation at times to shoe-horn a vulnerability into one of the definitions. They deal with this by thinking worst-case, which is the right way to do it given their definitions.

Mozilla is often in the habit of noting crash bugs with evidence of memory corruption such as these. They say they have no evidence of exploitability, but neither can they rule out the possibility. They rate these critical, thinking worst-case scenario, as I just said. I've never seen another prominent vendor word it this way. I like the honesty of admitting the situation is technically unclear at this point. Microsoft, to my knowledge, doesn't do that. It would probably just call it a Remote Code Execution vulnerability and decline to elaborate further. Neither vendor, to be sure, is very specific about vulnerabilities in their advisories.

This month Microsoft began providing not just ratings for each vulnerability, but an "exploitability index" score, to show that 1) consistent exploit code is likely, 2) inconsistent exploit code is likely or 3) functional exploit code is unlikely. This adds more detail for those who look at and analyze details, but if it doesn't feed back into the ratings it may get overlooked.