In a move aimed at helping users understand the real-world risks associated with security vulnerabilities in its products, Adobe is now adding "priority ratings" to its security bulletins.
The addition of priority ratings will differentiate between security vulnerabilities that are being targeted by live exploits; security flaws that are historically at elevated risk; and vulnerabilities that may be theoretically dangerous but are almost never targeted by attackers.
With this change, Adobe's David Lenoe says the company will be "as simple and direct as possible about the real-world risk associated with the vulnerabilities addressed in any given security update."
- Priority 1: This update resolves vulnerabilities being targeted by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for instance, within 72 hours).
- Priority 2: THis update resolves vulnerabilities in a product that has historically been at elevated risk. There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for instance, within 30 days).
- Priority 3: This update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.
Lenoe says the new priority ratings will be based on "historical attack patterns" for the relevant product, the type of vulnerability, the platform(s) affected, and any potential mitigations that may be in place.
Adobe's existing severity ratings -- Critical, Important, Moderate and Low -- will still be reflected in the new-look security warnings.