Why Microsoft's vulnerability severity ratings are obsolete

The distinction between 'critical' and 'important' has become meaningless. It makes no sense to treat them differently. Patch Tuesday needs a patch.

In the last 12 months Microsoft has released 139 security bulletins; 55 of them have a severity rating of 'Critical' and 84 of them 'Important.' The point of these severity ratings is a noble one: to help IT to prioritize updates, but the distinction has outlived its usefulness.

Microsoft defines the differences between Critical and Important as:

Critical: A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email.
Microsoft recommends that customers apply Critical updates immediately.
Important: A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. These scenarios include common use scenarios where client is compromised with warnings or prompts regardless of the prompt's provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered.
Microsoft recommends that customers apply Important updates at the earliest opportunity.

patch tuesday

Microsoft fixes critical flaw affecting every version of Windows

The software giant said the flaws could allow an attacker to remotely run malware if a user opens specially crafted media content that's hosted on a website.

There are also definitions for Moderate and Low severity, but these have fallen into disuse. The last one I can find is from November 2014. I don't know where they've gone, but I wouldn't be surprised if Microsoft is categorizing such issues as non-security bugs in the non-security updates, the details of which are scanty.

So what is the difference between Critical and Important? Critical certainly sounds horrific. You could just be sitting there doing nothing, minding your own business and still get exploited. How is Important less severe? The confidentiality, integrity, or availability user data and processing resources could be compromised.

Notice that the definitions aren't really using the same terms; Critical is defined as malicious code running, while Important is in terms of how the user is affected. The defining characteristic of Critical is that it could happen with no inherently dangerous actions by the user, but Important also sounds like this: "Sequences of user actions that do not generate prompts or warnings are also covered."

If you look at real world bulletins, such as those from this month's Patch Tuesday, you see some good examples. Look at Security Update for .NET Framework to Address Security Feature Bypass (CVE-2016-0132) in MS16-035 which allows an attacker to modify an XML file without invalidating the signature for it. The credit is given to Anders Abel, a developer in Sweden who has a lot to say about proper XML signing practices, and the bottom line is that the unpatched .NET Framework doesn't validate XML signatures properly.

How common is Microsoft's error, which specifically is not to check the references in the XML document? Abel says "it is so common, that just about every well-known SAML2 implementation was hacked through it a few years ago (OWASP has an overview slide deck about it)." This is potentially a really serious problem, but it only rates as Important.

Consider even the Library Loading Input Validation Remote Code Execution Vulnerability in MS16-025, rated Important. The problem comes when "Windows fails to properly validate input before loading certain libraries." Exactly what input and what libraries are unclear and Microsoft does not give acknowledgements to whoever reported the vulnerability, but the implications are as bad as any Critical remote code execution bug. There is a clear mitigating factor here: "To exploit the vulnerability, an attacker must first gain access to the local system and have the ability to execute a malicious application." And yet how much of a mitigation is this really? Are you allowed to run executable code on your own system?

The severity ratings also ignore the implications of chaining vulnerabilities: If a user is running with standard user privileges and a Critical remote code execution vulnerability takes over, the malicious code will run with standard user privileges. If the attacker then uses an Important elevation of privilege vulnerability and becomes administrator the implications are at least as severe. That Microsoft rates all Privilege Elevation bugs as Important understates their importance.

read this

The top security threats of 2016

You'll find everything from ransomware to Microsoft's Edge browser.

I asked Microsoft for a reaction and they supplied this statement: "As a best practice, we encourage customers to apply all security updates as soon as they're released to protect from malicious attackers. Some customers have traditionally asked for additional security guidance to help them prioritize their manual deployment process. More information about severity ratings and the exploitability index can be found on the Security TechCenter."

Google's severity definitions for Chromium are very different, but Google is in a different position from Microsoft. Microsoft still allows administrators of managed networks to pick and choose which updates to install (this capability seems to be gone in consumer versions of Windows 10), bit with Chrome you get an update every few weeks and you get all the fixes in it, whether you like it or not.

The main difference to Google between High, Medium and Low severity is how they prioritize getting fixes into their upcoming versions. High goes in ASAP, in the "current stable milestone" as they term it. Medium severity bugs are also usually assigned to the current stable milestone, but might be put off if they would complicate the schedule or if there are significant mitigating factors. Low-severity bugs are not normally assigned to stable or beta branches, but are handled on a case-by-case basis.

It wouldn't surprise me if Microsoft effectively has only two categories now: security and non-security. What was formerly a Low or Medium severity bug is now prioritized appropriately and buried in the non-security bug releases. Security updates are all those which Microsoft argues customers should apply as soon as possible, and their statement says as much. For consumers using Windows 10, the Chrome model has already arrived; you get all of the updates and you get no choice. In the long term something like that will happen with enterprises as well, as more and more software moves into the cloud where Microsoft, not the customer, updates it.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All