Issue
Microsoft Update has a vulnerability listed as "Critical" but when looking at the same vulnerability in LANDesk it is listed as "Low" or "N/A". Why are they different?
Solution
Windows Update uses a different set of severity levels to sort the vulnerabilities than LANDesk does. The Windows Update site uses high-priority, software, optional, and hardware optional as possible severity levels. These severity types do not correlate with the severity values that Microsoft provides in the vulnerability KB articles.
LANDesk uses the severity level that is specified by the vendor. For Microsoft vulnerabilities LANDesk uses the severity level that is specified in the Microsoft KB article that they provide for each vulnerability.
All of the severity levels that are listed for each vulnerability in the Patch Manager solution come directly from the vendor of the patch. LANDesk does not assume or make any decision as to what severity level the patch should be for a 3rd party product.
How does LANDesk determine the severity level of a patch?
The 3rd party vendors of the vulnerability are responsible for determine the severity ratings. Below is the breakdown of these ratings for both Microsoft and other vendors vulnerability ratings and the corresponding LANDesk value.
Microsoft using the following rating system:
The Severity Rating System
The severity rating system provides a single rating for each vulnerability. The definitions of the ratings are:
| Rating | Definition |
|---|---|
| Critical | A vulnerability whose exploitation could allow the propagation of an Internet worm without user action. |
| Important | A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources. |
| Moderate | Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation. |
| Low | A vulnerability whose exploitation is extremely difficult, or whose impact is minimal. |
For more information please see http://www.microsoft.com/technet/security/bulletin/rating.mspx
LANDesk maps Microsoft severities in the following manner:
| Microsoft Severity | LANDesk Severity |
|---|---|
| Critical | Critical |
| Important | Important/High |
| Moderate | Moderate/Medium |
| Low | Low |
| Not Applicable |
For non Microsoft content we use the 3rd party vendors severity rating and then map it to the LANDesk ratings.
| LANDesk Severity |
|---|
| Service Pack |
| Critical |
| Important/High |
| Moderate/Medium |
| Low |
| Not Applicable |
* Not Applicable applies to any vulnerability that does not have a rating or is a patch or software update that do not have security Implications to them. An example would be a patch that fixes a font display issue in an application.
More Information
Tip: You can look at the article used to set the severity and see additional information about the vulnerability by following the "More Information at:" link in the patch properties. To get to this link, right click on the vulnerability in question and select Properties. Then select the Description tab. You can link directly to the article by clicking the "More Information at:" Link
For more information on some processes to help manage and patch all the patches listed in Microsoft Update, please see LANDesk Patch Manager is not installing all of the patches that show up in Windows Update