Skip to main content

 

Security Update Severity Rating System

Attacks that impact customers' systems rarely result from attackers' exploitation of previously unknown vulnerabilities. Rather, they exploit vulnerabilities for which patches are available but not applied. For this reason, Microsoft recommends that customers make patching a priority. Currently available updates are listed in the Security Update Guide.

However, not all vulnerabilities are equally severe. To help customers understand the risk associated with each vulnerability we patch, we have published a severity rating system that rates each vulnerability according to the worst theoretical outcome were that vulnerability to be exploited.

RatingDefinition
Critical

A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email.

Microsoft recommends that customers apply Critical updates immediately.

Important

A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. These scenarios include common use scenarios where client is compromised with warnings or prompts regardless of the prompt's provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered.

Microsoft recommends that customers apply Important updates at the earliest opportunity.

Moderate

Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations.

Microsoft recommends that customers consider applying the security update.

LowImpact of the vulnerability is comprehensively mitigated by the characteristics of the affected component. Microsoft recommends that customers evaluate whether to apply the security update to the affected systems.


The measure of a vulnerability’s severity is distinct from the likelihood of a vulnerability being exploited. To assess that likelihood, the Microsoft Exploitability Index provides additional information to help customers better prioritize the deployment of Microsoft security updates. This index provides customers with guidance on the likelihood of functioning exploit code being developed for vulnerabilities addressed by Microsoft security updates, within the first thirty days of that update's release.

While this severity rating system is intended to provide a broadly objective assessment of each issue, we strongly encourage customers to evaluate their own environments and make decisions about which updates are required to protect their systems.