Microsoft Security Bulletin Severity Rating System

An Explanation of the Microsoft Security Bulletin Severity Rating System

Picture of the Microsoft 4-Color Logo
© Microsoft

The Microsoft Security Bulletin Severity Rating System is a simple, four level severity rating system that's applied to each Microsoft Security Bulletin, providing a quick and easy way to assess the possible risk of the security weakness that was identified.

There's a different impact for different vulnerabilities. However, since most users don't understand how crucial some updates are, and instead of having you decide for yourself which updates you should promptly apply and which ones you can likely ignore, Microsoft developed the Security Bulletin Severity Rating System to rate them for you.


Security Rating Definitions

Like I said, there are four different ratings in this system. They're all listed below with explanations as Microsoft defines them. These are in decreasing order by which are most important to apply:

  • Critical: A vulnerability whose exploitation could allow the propagation of an internet worm without user action, and possibly without even a prompt.

    Microsoft recommends applying Critical updates as soon as possible.
  • Important: A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.

    Microsoft recommends applying Important updates at the earliest opportunity, but while they're definitely important, they're not necessarily as vital as applying a Critical update.
  • Moderate: Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.

    Microsoft only recommends that users consider applying Moderate updates.
  • Low: A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.

    Entirely opposite to Critical updates, Microsoft recommends that users decide whether or not to apply this type of security update.

You can read more about Microsoft's rating system at their Microsoft Security TechCenter Security Bulletin Severity Rating System page.

More Information on Security Ratings

The Microsoft Security Response Center releases these security bulletins on the second Tuesday of each month, called Patch Tuesday. Each one has at least one Knowledge Base Article that helps explain more information about the update.

You can go through the security bulletins at the Microsoft Security Bulletins page on Microsoft's website. The bulletins can be organized by date, bulletin number, Knowledge Base number, title, and bulletin rating. They're also searchable and can be filtered by product or component, like Microsoft Office, Adobe Flash Player, Windows Media Center, etc.

You can get notifications when Microsoft releases new bulletins. Go to their Microsoft Technical Security Notifications page to subscribe by email or RSS feed. A download is also available here on Microsoft's website.

The explanations from above are describing the worst possible outcome. For example, just because there's a Critical update for a vulnerability doesn't mean that that particular problem is as bad as it could be. Similarly, nor does it mean that your computer is currently a victim of that type of attack, but instead that your system is vulnerable to the attack because that specific update has yet to be applied.

Security advisories are similar to bulletins in that it's information that may affect some users, but they're not something that require a bulletin because they typically don't indicate a vulnerability. Security advisories are just another way for Microsoft to relay security information to users. You can get RSS updates for these as well, through this RSS feed.

More From Us