Skip to main content
MSRC

Security Bulletin

Bulletin severity for October bulletins

Tuesday, October 14, 2008

Bulletin severity is an interesting topic to many blog readers. We often hear that you think a bulletin should be rated higher or lower. Sometimes we even hear one person suggesting a higher rating and another suggesting a lower rating for the same issue. J This post is not to advocate for or against the MSRC rating system but we’d just like you to understand what we were thinking for each bulletin.

MS08-049 : When kind of authentication is needed?

Wednesday, August 13, 2008

MS08-049 is an update for the Windows Event System service to correct an authenticated elevation-of-privilege vulnerability. We received a question via email yesterday about the type of authentication needed to exploit CVE-2008-1456. Our security bulletin was a little ambiguous with one reference to “logon credentials” and another to “domain credentials”. The email question was from an IT security manager who wondered whether his hardened servers could be compromised remotely.

MS08-023: Same bug, four different security bulletin ratings

Wednesday, April 09, 2008

Security bulletin MS08-023 addressed two ActiveX control vulnerabilities, one in a Visual Studio ActiveX control and another in a Yahoo!’s Music Jukebox ActiveX control. The security update sets the killbit for both controls. For more about how the killbit works, see the excellent three-part series (1, 2, 3) from early February in this blog.