Assessing

With the list of missing patches identified by MBSA, you must determine if the vulnerabilities pose a significant risk. Microsoft Security Bulletins provide technical details to help you determine the level of threat the vulnerability poses to your systems.

The details from security bulletins that help you assess the risk of attack are:

• Technical details of requirements an attacker needs to exploit the vulnerability addressed by the bulletin . For example, an attack may require physical access or the user must open a malicious email attachment.

• Mitigating factors that you need to compare against your security policy to determine your level of exposure to the vulnerability . It may be that your security policy mitigates the need to apply a patch. For example, if you do not have the Indexing Service running on your server, you do not need to install patches to address vulnerabilities in the service.

• Severity rating that assists in determining priority . The severity rating is based on multiple factors including the role of the machines that may be vulnerable, and the level of exposure to the vulnerability.

  For more information about the severity rating system used by the security bulletins, see the TechNet article, "Microsoft Security Response Center Security Bulletin Severity Rating System" at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/policy/rating.asp

  Note	If you use an affected product, you should almost always apply patches that address vulnerabilities rated critical or important . Patches rated critical should be applied as soon as possible.