Windows Vulnerabilities, Just as Severe in Vista

Windows Vista will not impact in any way the severity ranting of Windows Vulnerabilities. Microsoft catalogs security vulnerabilities across its software products according to a rating that quantifies the potential damage a successful exploit would inflict. Currently, Microsoft's severity rating system has four levels: Critical, Important, Moderate and Low.

According to Microsoft, critical vulnerabilities allow the propagation of an Internet worm with zero user action and also deliver the most consistent impact. The exploitation of important flaws could result in compromises to user confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. Default configuration, auditing, or difficulty of exploitation are criteria specific of moderate vulnerabilities. And finally, vulnerabilities difficult to exploit and with little impact receive a rating of low.

The availability of Microsoft's most secure Windows operating system at the end of January will have no effect on the severity rating system, even though it was conceived back in November 2002. But the issue is larger than Windows Vista. The fact of the matter is that Vista's enhanced security will not diminish in any way the rating of a vulnerability.

"The MSRC rarely reduces the severity of a buffer-related security bug because a defense with no security guarantees such as /GS or /SafeSEH is in place. UAC will be a speed bump, but I doubt we would reduce the severity of many bulletins if UAC is the sole mitigation. The MSRC folks are, understandably, very conservative and would rather err on the side of people deploying updates rather than trying to downgrade bug severity," explained Michael Howard, Microsoft Senior Security Program Manager.

What does this mean? Well, to put it simply, in case Windows Vista and Windows XP would share a vulnerability, it will have the same severity rating in both operating systems. This although Windows Vista delivers additional security compared to XP. "So don't be surprised if you see a bug that's, say, Important on Windows XP and Important on Windows Vista, even if Windows Vista has a few more defenses and mitigations in place," Howard added. The only difference will be in the reports of the Microsoft Security Response Center.