Microsoft recently changed how it presents and explains its security vulnerabilities in its products. The new security guide aligns itself with security and industry standards by describing the vulnerabilities with the Common Vulnerability Scoring System (CVSS), which presents a vulnerability’s key characteristics and assigns a numerical score to its severity. The intent of that score is to help organizations better assess a vulnerability’s risk and respond appropriately. Microsoft scores every vulnerability (except for those that it automatically patches, such as with Microsoft Edge) and displays the details that make up that score in a new version of its Security Update Guide.
What’s in the new Security Update Guide
Each vulnerability bulletin in the Security Update Guide starts by explaining base score metrics. This section explains the initial attack vector. It indicates the attack source: local, adjacent network, physical, or network. Local means that the attacker must either have physical access to the vulnerable system or a local account. Adjacent network means that the attacker has access to attack in a manner close to the network (Bluetooth or ARP spoofing). Physical attacks need actual hands-on connection before they can be successful. Network attacks are often the most impactful vulnerabilities and are remotely exploitable.