News

Microsoft Creates Security Bulletin Rating System

• By Stephen Swoyer
• 10/22/2001

In the past, Microsoft has by default advised IT organizations to install most of the hotfix updates that it’s released, regardless of whether or not an IT organization was actually affected by the bugs that were patched. This has led to confusion and frustration among IT managers, who’ve had to pick and choose from among 60 security-related software patches in 1999 and 100 in 2000. Thus far in 2001, Microsoft has released 52 security-related software patch updates.

“They usually tell you to apply a patch anyway, regardless of whether or not it actually affects you, just so that they can say ‘We told you to install this’ if anything happens,” commented Bill Tillson, a Windows NT Systems Operations Manager with Primus Managed Hosting Solutions, in the immediate aftermath of the first wave of Code Red attacks in July. “I’m sorry, but sometimes the effect of [this practice] is to make you doubt the importance of the patches [in general].”

Microsoft’s security bulletin rating system purports to evaluate the potential seriousness of a vulnerability according to whether or not a Windows NT 4.0 or Windows 2000 server directly faces the Internet; is situated behind a firewall or located on an intranet; or is a client system (Windows NT 4.0, Windows 2000 Professional, Windows XP) that could be exposed directly to the Internet or situated behind a firewall.

In each such contingency, Microsoft proposes to assign a “critical,” “moderate” or “low” rating to new vulnerabilities as they are discovered. The severity of a rating will be determined, Microsoft says, according to the potential for damage -- e.g., denial-of-service (DoS), Web page defacement, system compromise, data disclosure, execution of arbitrary code, etc. -- that could be associated with successful exploitation of a particular vulnerability in a specific context.

For example, the indexing service vulnerability that Code Red and its subsequent iterations so successfully exploited would likely have been assigned a “critical” rating for Internet-facing servers, a “critical” or “moderate” rating for servers situated behind a firewall and a “low” rating for client-only systems (which, with very few exceptions, are rarely configured with IIS Web services).

At the same time, the spate of Internet Explorer bugs that the software giant patched almost two weeks ago would probably merit “low” to “moderate” severity ratings for Internet-facing and intranet-based servers, but would probably be accorded a “critical” rating for client-only systems.

Microsoft says that it will initially exclude information about system environments and associated severity from its new security bulletin rating system, but indicates that it hopes to include information of this kind in security bulletin releases at some point in the future. The recent IE vulnerabilities provide an example of why that information is important. Windows NT 4.0 Terminal Services Edition or Windows 2000 Server/Advanced Server systems that support multiple client sessions using Microsoft’s integrated terminal services component are affected by that kind of vulnerability as well.

According to Russ Cooper, editor of the Windows NT Bugtraq Mailing List, Microsoft’s new security bulletin rating system marks a reversal of course, of sorts, for the software giant.

“The conversation has always been that Microsoft had no choice but to always recommend that every bulletin get applied to every computer for fear that liability would fall on their head if they said that this one’s not really that important,” Cooper says. “What they’ve done now is said: ‘We’re going to take that risk. ‘We’re not always going to be right, you’re going to have to make the decision by yourself, but we’ll advise you.’”

In the aftermath of Code Red and the follow-up Nimda worm, industry observers urged IT organizations to reconsider the roles in which they’ve deployed IIS. Writing in an advisory bulletin, Gartner Group analyst Joe Pescatore went so far as to advise Gartner clients to consider dumping IIS altogether.

"Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache," he wrote.

To staunch an anticipated flow of defections from Windows NT 4.0/Windows 2000 and IIS, Microsoft over the last two months became demonstrably more serious about shoring-up the security of its Windows NT 4.0 and Windows 2000 platforms. The software giant introduced two security hotfix-checking tools in early August, unveiled an IIS “lockdown” utility in late August, and took the wraps off of its security bulletin rating system last week.

Microsoft’s own efforts notwithstanding, NT Bugtraq’s Cooper says that a lot of Windows administrators simply don’t have the knowledge and experience necessary to sufficiently secure and harden their Windows NT 4.0 and Windows 2000 systems.

“If you look at NT or 2000, the average administrator is moving up from desktop support, so a lot of times they’re inexperienced and unknowing,” he says.