Microsoft says it is adding a rating system to its security warnings to help customers take the appropriate steps when faced with a security threat.

	Advertisement

The company says security bulletins will be labeled with "critical," "moderate," or "low" severity ratings, and the bulletins will be sorted by type: client systems, Internet servers and internal servers.

Last year Microsoft issued 100 security warnings but the bulletins weren't organized by severity or type. The practice made it difficult for users to judge the severity of the threats, so they wouldn't install security patches, the company says.

"We are concerned that this conservative approach to identifying vulnerabilities that require action on our part may also have made it more difficult for many customers to identify those vulnerabilities that represent especially significant risks," the TechNet advisory says.

Users who didn't download security patches then ran the risk of being infected with widespread viruses such as Code Red and Nimda. Worms such as these exploit known vulnerabilities in either client software, Internet servers, or internal servers or any combination of the three, the announcement says, citing two recent, independent studies.

"We are well aware that not all vulnerabilities have equal impact on all users. When we conducted a review of the bulletins that applied to Windows 2000 (including Internet Explorer and Internet Information Service) in late 2000, we found only five bulletins (out of roughly fifty) that we subjectively judged to be of extremely high severity for the majority of affected users," the notice says.

A more detailed description of the bulletins is available in the TechNet section of Microsoft's Web site.

For more enterprise computing news, visit Computerworld online. Story copyright © 2006 Computerworld, Inc. All rights reserved.