It’s Rafal Sosnowski from Microsoft Dubai Security PFE Team. I want to talk about different types of our Windows Updates.
Microsoft has following categories of updates:
Critical Update – is an update which fixes specific, non-security related, critical bug. That bug can cause for example serious performance degradation, interoperability malfunction or disturb application compatibility.
Security Updates – is an update which fixes security vulnerability. Security updates have their own severity defined by Microsoft Security Response Center. There are 5 levels of the security update severity defined by MSRC:
Critical - The update fixes a vulnerability whose exploitation could allow for the propagation of an Internet worm without user action.
Important - The update fixes a vulnerability whose exploitation could result in the compromise of the confidentiality, integrity, or availability of users' data, or of the integrity or availability of processing resources.
Low - The update fixes a vulnerability whose exploitation is extremely difficult, or whose impact is minimal.
Moderate - The update fixes a vulnerability whose exploitation is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.
Unspecified - The update does not have a severity rating.
Every security update has also Exploitation Index which is not presented to the user in Windows Update or WSUS. https://technet.microsoft.com/en-us/security/cc998259
The main confusion seen in the field regarding update categories is within WSUS, Windows Update and MBSA.
Windows Server Update Services (WSUS) can synchronize updates based on the category but not based on severity (see below). Selecting “Critical Updates” in the WSUS Configuration\Options\Products and Classifications will only synchronize and download Critical updates that fix critical bugs (for example hardware or driver compatibility). These Critical Updates have nothing to do with Critical Security Updates.
If you want to synchronize Security updates you need to select “Security Updates” in the Classification tab. It will download critical, important, moderate, low and unspecified security related updates.
Critical Updates (as opposed to Critical Security Updates) have no MSRC severity set (WSUS will display it as “Unspecified”):
Windows Update will display simplified categories to the end user as usually they don’t need to know about severity ratings or exact type of update:
Important - include all Security Updated regardless of MCRS severity, Critical Updates, Definition Updates, Update Rollup and Service Pack
Optional/Recommended - include Feature Pack and standard Updates.
If we want to match exact types of updates to simplified version used by Windows Update in control panel you can use below table:
Microsoft Baseline Security Analyzer - provides a streamlined method to identify missing security updates and common security misconfigurations. MBSA is a basic vulnerability scanner which can run locally or remotely. MBSA will scan for missing Security Updates (critical, important, moderate, low) and display their maximum MSRC severity rating.
Hope this blog post helped you to understand different categories and severity levels of Microsoft updates.
Critical update is an update which fixes critical non-security related bug.
Critical Security Update is an update which fixes critical security vulnerability.
Important update is category displayed by Windows Update and include all Security updates regardless of the MCRS severity rating as well as other update categories like Critical Updates, Definition updates etc.
Important Security Update is an update which fixes important security vulnerability.