to be critical or not to be critical

Microsoft is in a not-so-enviable position when it comes to patch releases. Microsoft yesterday released MS08-006 as one of their slew of patches. They rated this issue “Important.” But if you look closely, it scores the highest severity in every category except one: number of systems affected. But if you have servers affected, this is about as critical as an issue can get, other than having it already worming around.

This sucks because techs like me want the real skinny, but we all know media will latch onto “Microsoft released a critical patch…” and drop off the, “…that only affects…” part. And then people like my managers of stakeholders on the systems in question will say, “But Microsoft themselves only rated this Important, surely you can slow down…”

There’s really no answer here, and I think Microsoft errs on the correct side, since I can figure out for myself that the issue is critical (assuming Microsoft continues to be detailed in their descriptions), but the common public is less likely to figure out the issue doesn’t matter to them. Still, it is a lame situation. Maybe Microsoft should only apply an overall severity to an issue only after identifying the affected products?

Or do what SANS does and split them up between client and server ratings. These are general enough and make damn good sense.