The mission of the Microsoft Security Response Center (MSRC) is to help our customers operate their systems and networks securely. A major part of this mission involves evaluating reports of suspected vulnerabilities in Microsoft products and, when necessary, ensuring that updates and security bulletins that respond to bona fide reports are produced and disseminated. The MSRC issues a bulletin for any product vulnerability that could, in our judgment, result in multiple customers being affected, no matter how unlikely or limited the impact.
Not all vulnerabilities have equal impact. This document presents our security bulletin severity rating system. This system, which we revised in December 2011 based on customer feedback, is intended to help our customers decide which updates they should apply under their particular circumstances, and how rapidly they need to take action. Customers have encouraged us to include this information in our bulletins to help them assess their risk.
In industry experience, attacks that impact customers’ systems rarely result from attackers’ exploitation of previously unknown vulnerabilities. Attacks typically exploit vulnerabilities for which patches have long been available, but not applied. This is why we include deployment priorities with each severity rating.
The severity rating system provides a rating for each vulnerability per component or platform. This rating represents the worst theoretical outcome were a vulnerability to be exploited on a given component or platform. The severity rating does not indicate the likelihood of that outcome.
To assess that likelihood, the Microsoft Exploitability Index is designed to provide additional information to help customers better prioritize the deployment of Microsoft security updates. This index provides customers with guidance on the likelihood of functioning exploit code being developed for vulnerabilities addressed by Microsoft security updates, within the first thirty days of that update’s release.
The definitions of the Severity ratings are:
Rating | Definition |
Critical | A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email.Microsoft recommends that customers apply Critical updates immediately. |
Important | A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. These scenarios include common use scenarios where client is compromised with warnings or prompts regardless of the prompt’s provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered.Microsoft recommends that customers apply Important updates at the earliest opportunity. |
Moderate | Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations.Microsoft recommends that customers consider applying the security update. |
Low | Impact of the vulnerability is comprehensively mitigated by the characteristics of the affected component. Microsoft recommends that customers evaluate whether to apply the security update to the affected systems. |
As necessary, we will note cases where the severity of a vulnerability depends on system environment or use.
We apply this severity rating system to each issue addressed in a security bulletin. With regard to bulletins that address multiple vulnerabilities, the overall bulletin severity will reflect the highest severity issue addressed in the bulletin. While this severity rating system is intended to provide a broadly objective assessment of each issue, we strongly encourage customers to evaluate their own environments and make decisions about which updates are required to protect their systems.