This change allows for the following:
- We can more accurately classify security bulletin updates that do not have an "MSRC Severity" rating assigned. For example, MS13-038: Security update for Internet Explorer 9: May 14, 2013 does not have a severity rating assigned. Going forward, the "MSRC Severity" rating will be classified as "Unassigned."
- We can correctly classify security advisory updates that do not relate to a vulnerability in Microsoft code but do have security implications.
Previously, security-related content that was released together with a security advisory was classified as a nonsecurity update, usually by using the "Critical" update classification. Going forward, such content will be classified as a "Security update" with the "MSRC Severity" rating as "Unassigned." This can be a source of confusion for enterprise administrators who know about the security advisory but do not see a security update in their Microsoft Windows Server Update Services (WSUS) server consoles. This change will enable enterprise administrators to more quickly identify updates that affect security and to more effectively associate security content that relates to security advisories.
Microsoft Security Bulletins may also be classified in this manner. For example, during the investigation of a security vulnerability, we may find a scenario in which the exploitation of the vulnerability is confirmed to affect one version of one product but is not exploitable on another product that uses similar code. In this scenario, we will likely be proactive and comprehensively address both products. For such issues (that is, issues in which we release an update as a defense in depth measure), we may also classify the packages by using the "MSRC Severity" rating of "Unassigned."
Article ID: 2849195 - Last Review: May 17, 2013 - Revision: 1