X
Business

Adobe adding 'priority ratings' to security alerts

The new priority ratings will be based on "historical attack patterns" for the relevant product, the type of vulnerability, the platform(s) affected, and any potential mitigations that may be in place.
Written by Ryan Naraine, Contributor

In a move aimed at helping users understand the real-world risks associated with security vulnerabilities in its products, Adobe is now adding "priority ratings" to its security bulletins.

The addition of priority ratings will differentiate between security vulnerabilities that are being targeted by live exploits; security flaws that are historically at elevated risk; and vulnerabilities that may be theoretically dangerous but are almost never targeted by attackers.

With this change, Adobe's David Lenoe says the company will be "as simple and direct as possible about the real-world risk associated with the vulnerabilities addressed in any given security update."

[ SEE: 'Offensive security research community helping bad guys' ]

Here's what the priority ratings look like:

  • Priority 1: This update resolves vulnerabilities being targeted by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for instance, within 72 hours).

  • Priority 2: THis update resolves vulnerabilities in a product that has historically been at elevated risk. There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for instance, within 30 days).

  • Priority 3: This update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.

Lenoe says the new priority ratings will be based on "historical attack patterns" for the relevant product, the type of vulnerability, the platform(s) affected, and any potential mitigations that may be in place.

[ SEE: Adobe warns of 'critical' Flash Player security holes ]

"This is a new system, so we may find that adjustments will need to be made. We also believe that continuing to use the current severity ratings makes sense, since this information has been helpful to many customers, so you can expect to see both ratings being used in future security bulletins," Lenoe added.

Adobe's existing severity ratings -- Critical, Important, Moderate and Low -- will still be reflected in the new-look security warnings.

Editorial standards