Patch Analysis

The Severity of Vulnerabilities

Tyler R.

Mar 18, 2007 — 1 min read

I have been looking at how vendors classify vulnerability severity and I keep finding discrepancies between what the vendor says and what the CVSS score suggests.

Take the most recent batch of Microsoft patches. Two of the vulnerabilities rated as Important by Microsoft score above 8.0 on the CVSS v2 scale. By most definitions that is Critical, not Important. Yet Microsoft uses its own rating system that factors in exploitability and does not always align with CVSS.

This matters because enterprise patch management workflows often prioritize by vendor severity. If your WSUS deployment is configured to auto-approve Critical patches but defer Important ones to the next maintenance window, you are leaving high-CVSS vulnerabilities unpatched for days or weeks based on a vendor classification that may not reflect actual risk.

The Microsoft Rating System

Microsoft uses four severity levels: Critical, Important, Moderate, and Low. Their definitions focus on exploitation scenarios rather than raw impact scores. A vulnerability that requires authentication to exploit might be rated Important even if successful exploitation gives the attacker full system control.

I pulled the data from every Microsoft security bulletin in 2006 and compared the vendor severity against NVD CVSS scores. The results are concerning. 23 vulnerabilities rated Important by Microsoft had CVSS base scores above 7.5. Twelve of those scored above 8.5.

Other Vendors

Microsoft is not alone in this. Oracle, Adobe, and Cisco all maintain proprietary severity scales that diverge from CVSS in specific ways. Oracle is particularly opaque - their Critical Patch Updates include a CVSS score but the accompanying text often downplays the risk.

The problem is structural. Vendors have an incentive to minimize the perceived severity of vulnerabilities in their products. CVSS, whatever its flaws, is at least vendor-neutral.

What Should Enterprises Do?

First, do not rely solely on vendor severity for patch prioritization. Use CVSS scores from NVD as an independent data point. Second, build your own severity classification that accounts for your specific environment. Third, track the discrepancies over time. If a vendor consistently under-rates vulnerabilities, factor that into your risk assessment.

I will continue publishing the comparison data as new patch cycles come out. The full spreadsheet for 2006 is available on request.

Active Directory Delegation: A Security Audit Checklist

Active Directory delegation is one of those features that every Windows admin uses but few audit properly. It is also a common source of privilege escalation paths. The Problem When an administrator delegates permissions in AD, those permissions are stored as Access Control Entries on the target objects. Over time,

Nmap Cheat Sheet: The Complete Command Reference

Nmap is the standard tool for network discovery and security auditing. Whether you are mapping a small home lab or scanning a class B network, the same core commands apply. This nmap cheat sheet is a structured reference covering the commands and options I use most frequently, organized by task

Nmap NSE Scripts for Enterprise Scanning

The Nmap Scripting Engine has matured significantly. Version 4.50 added dozens of new scripts and the framework is now stable enough for enterprise use. Why NSE Over Standalone Tools Before NSE, enterprise scanning meant running Nmap for discovery, then piping results to Nessus. NSE lets you combine discovery and

Where Have All the Good Fingerprinters Gone?

OS fingerprinting has been a fundamental reconnaissance technique since the mid-1990s. Nmap, p0f, and xprobe2 all approach the problem differently, but they share a common challenge: the fingerprint databases are not keeping up with the operating systems they need to identify. I spent last week testing the latest versions of