« WinConnections Conference | Main | Tech Ed Session Update »
April 18, 2005
So What do the Security Update Ratings Mean?
When Microsoft releases the latest round of updates on "Update Tuesday", I receive a lot of people on what the difference is between a critical update and an important update. I find that most news media have no idea at all what the difference is, and in fact, blur the lines when reporting on the newest updates.
First some background information...
When a security fix is released, the Microsoft Security Response Center (MSRC) issues a security bulletin that identifies the addressed vulnerability.It is this security bulletin that is assigned a severity rating. The ratings system implemented by the MSRC in November 2002 uses the following ratings:
- Critical A vulnerability that might allow an attacker to gain control of your computer through elevation of privilege or by allowing access to sensitive data. You should always apply a critical-rating updates in your environment. I recommend starting testing of a critical update within 24 hours of the update?s release. Try and expedite testing so that you can deploy the tested update within two weeks of release to all affected systems.
- Important A vulnerability that might compromise the confidentiality, integrity, or availability of user data, as well as the integrity or availability of processing resources. You should always apply important-rating updates in your environment. I recommend that you apply an important update within one month of the update?s release. If your organization implements testing of all updates (which is a must to prevent any unexpected issues), try and take no longer than two months for your testing process before applying an important update.
- Moderate A vulnerability that might be mitigated by good security measures, such as implementing a security baseline configuration or performing regular network auditing. This rating is typically assigned to vulnerabilities that are difficult to exploit. A moderate update should be evaluated by your organization to determine whether the vulnerability addressed is relevant to your company before implementing testing and deployment of the update. If the update is relevant, you should apply the update within four months of the update?s release. In some cases, even consider waiting until the next service pack or roll-up is released that includes the patch. If your organization is performs testing of all updates, you should deploy the tested update within six months of release.
- Low A vulnerability that is extremely difficult to exploit or whose impact is minimal. Only consider applying a low rating update if it addresses an issue faced by your organization. I recommend waiting until the next service pack or roll-up that includes the low update before applying it. In some cases, you might decide to never deploy the update if it is not relevant to your organization.
Finally, a critical update is not necessarily a bad thing. Yes, it is a potential vulnerability that can expose your computers to attackers. But remember, the security update fixes the problem. When critical updates are released, it is a race between you and a potential attacker. Get testing and get that update deployed - you win the race!
Brian
Posted by at April 18, 2005 11:31 AM