Microsoft amends vulnerability rating system

After customers complained that they couldn't identify the most serious security vulnerabilities, Microsoft Corp. has added a fourth category to its vulnerability rating system. But critics feel that the extra tier adds even more complexity to an administrator's job.

Under the new system, fewer bulletins get the "critical" stamp. Only vulnerabilities that could be exploited to allow malicious Internet worms to spread without user action are now rated critical. Many issues that were previously rated critical are now "important," a new category in the rating system. These "important" vulnerabilities could still expose user data or threaten system resources, but they might not receive the urgent attention from administrators that they deserve.

"If Microsoft wanted to simplify matters, they should've done just that -- cut the categories down from three to two levels. Administrators want to know whether a patch needs to be applied immediately, or if they can conveniently schedule it," says Thor Larholm, a Copenhagen, Denmark-based security researcher with PivX Solutions LLC.

A two-tiered system would let administrators quickly decide whether they need to drop all tasks at hand and apply a patch, or whether the risk is small enough that they can wait and include it in a weekly patch cycle.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Microsoft

Show Comments