Microsoft Corp. said it is adding a rating system to its security warnings to help customers take the appropriate steps when faced with a security threat.
The company said security bulletins will be labeled with "critical," "moderate" or "low" severity ratings, and the bulletins will be sorted by type: client systems, Internet servers and internal servers.
Last year Microsoft issued 100 security warnings but the bulletins weren't organized by severity or type. The practice made it difficult for users to judge the severity of the threats, so they wouldn't install security patches, the company said.
"We are concerned that this conservative approach to identifying vulnerabilities that require action on our part may also have made it more difficult for many customers to identify those vulnerabilities that represent especially significant risks," the TechNet advisory says.
Users who didn't download security patches then ran the risk of being infected with widespread viruses such as the Code Red and Nimda. Worms such as these exploit known vulnerabilities in either client software, Internet servers or internal servers or any combination of the three, the announcement said, citing two recent, independent studies.
"We are well aware that not all vulnerabilities have equal impact on all users. When we conducted a review of the bulletins that applied to Windows 2000 (including Internet Explorer and Internet Information Service) in late 2000, we found only five bulletins (out of roughly fifty) that we subjectively judged to be of extremely high severity for the majority of affected users," the notice said.
A more detailed description of the bulletins is available in the TechNet section of Microsoft's Web site.