I’ve never quite liked Microsoft’s severity rating system for security vulnerabilities; todays pre-announcement for this months patch tuesday provides a very good example of the problem I have with it. Microsoft provides four severity levels for security issues, and the different ratings appear to make sense at first sight:

ms_security_levels

So what is the problem? The definition of “Critical” leaves a bit to be desired. When I read “propagation of an Internet worm without user action”, I’m thinking of a remotely exploitable issue, leading to worms such as Sasser. So when Microsoft announces that there will be a patch for a Critical issue in Exchange next week, alarm bells start ringing. There must be a remotely exploitable hole in Exchange, and since Exchange servers are generally accessible from the internet it will only be a matter of time before a worm pops up that abuses this.

sasser

The problem is not this rating, but the fact that the same advance notification also includes a Critical issue for Internet Explorer. Since Internet Explorer doesn’t listen on a network port, and only launches when a webpage needs to be rendered, I find it hard to believe that there can be a worm that exploits this without user intervention. So the Critical label loses a lot of its meaning; there is no way to tell exactly how critical the Exchange issue actually is. It’s clear that the patch needs to installed ASAP, but an additional “Extremely Critical” level for wormable bugs that can be exploited via a network port that is listening in the default configuration of the software would be a nice addition.