What you need to know about changes to Microsoft's Security Update Guide

The Security Update Guide now aligns more closely with the CVSS, but sometimes lacks information needed to properly respond to a vulnerability report.

skull and crossbones in binary code
Thinkstock

Microsoft recently changed how it presents and explains its security vulnerabilities in its products. The new security guide aligns itself with security and industry standards by describing the vulnerabilities with the Common Vulnerability Scoring System (CVSS), which presents a vulnerability’s key characteristics and assigns a numerical score to its severity. The intent of that score is to help organizations better assess a vulnerability’s risk and respond appropriately. Microsoft scores every vulnerability (except for those that it automatically patches, such as with Microsoft Edge) and displays the details that make up that score in a new version of its Security Update Guide.

What's in the new Security Update Guide

Each vulnerability bulletin in the Security Update Guide starts by explaining base score metrics. This section explains the initial attack vector. It indicates the attack source: local, adjacent network, physical, or network. Local means that the attacker must either have physical access to the vulnerable system or a local account. Adjacent network means that the attacker has access to attack in a manner close to the network (Bluetooth or ARP spoofing). Physical attacks need actual hands-on connection before they can be successful. Network attacks are often the most impactful vulnerabilities and are remotely exploitable.

bradley cvss1 CSO

Security Update Guide, top half

To continue reading this article register now

8 pitfalls that undermine security program success