Understanding patch severity in a Shavlik Protect patch scan and why it may differ from Windows Update

Version 4


    This article provides information about how patch scans with Protect may differ from Windows Update scans, specifically concerning patch severity.



    Microsoft publishes severity information with each bulletin. The Shavlik Protect interface displays the Microsoft severity for each individual patch by Qnumber. Each Microsoft Bulletin includes an overall maximum severity rating listed at the top of the bulletin and it is displayed in the Security Bulletin Search page. For example, for MS05-001, the maximum severity rating is Critical.


    Within each bulletin, the severity ratings are further assigned by the underlying operating system. The severity rating for the issue may be different, based on which operating system is involved. These specific settings may be viewed by expanding the Executive Summary of the security bulletin. For example, for MS05-001, the severity rating for NT4, Windows 2000, and Windows XP is Critical. The severity rating for Windows Server 2003 is Moderate.


    In the Protect GUI, the vendor severity rating is displayed for each patch and it is specific to the operating system or application that is installed. For NT4, Win2K, and XP systems the vendor severity rating for MS05-001 is displayed as Critical, while the same issue for WS03 is displayed as Moderate.


    Microsoft Windows Update (including Microsoft Update) categorizes updates in two buckets: High Priority and Software-Optional.


    The High Priority bucket includes both security-bulletin related patches and non-security patches. The Software-Optional bucket usually includes new software applications that can be installed (such as Windows Powershellv and Windows Search).


    Protect scans for and deploys all Microsoft security bulletin related patches. Each Microsoft security bulletin related patch is assigned a Microsoft severity rating (Critical, Important, Moderate, Low) as detailed in the security bulletin.


    The severity rating in Protect properly reflects the rating assigned to the individual patches for the specified products, rather than the overall severity rating assigned to the bulletin as a whole.


    Protect also scans for and deploys many of the Microsoft non-security related patches. These patches are for issues such as performance and scalability-manageability. In Windows Update, these patches are included in the High Priority bucket alongside their security counterparts. In Protect, these patches are included as non-security patches available to be scanned via the WUScan scan template, or in a custom template when non-security patches are selected.


    Non-security patches, whether scanned from Windows Update or from Protect are NOT assigned severity ratings. (Severity ratings are only assigned by Microsoft for security patches referenced in security bulletins.)


    Microsoft includes both security and non-security patches in their High Priority bucket. This sometimes leads to confusion when prioritizing the patches that need to be installed. Shavlik recommends that all security patches be considered for installation (after appropriate internal testing). Shavlik recommends installing non-security updates as required by the business situation. Non-security updates are not necessary to maintain the security posture of your system.


    Another point of common confusion is the Update Type attribute that is displayed in Windows Update. This column displays Important or Recommended. This is commonly mistaken for the patch severity, however this is not related to security patch severity (Critical, Important, Moderate, Low). To see the security patch severity, click the update title on Windows Update, then click the corresponding More Information link to view the security bulletin and associated patch product severity rating.



    Why does Microsoft show some non-security updates that Protect does not show?

    While Shavlik strives to maintain consistency with Windows Update non-security patches, there may be times when Microsoft has released a non-security patch and Protect has yet to support that patch. Protect prioritizes patches to include support for security patches first, then non-security patches. If you see a non-security patch on Windows Update that is not listed in the Protect product, submit a request at http://shavlik.featureidea.com/ and request that the patch be added.


    Why does Protect show some non-security updates that Windows Update does not show?
    Shavlik strives to add support for as many non-security patches as possible. This includes both those listed on Windows Update as well as those available from the Microsoft Download Center (that may not be available via Windows Update). Many times we identify (or customers ask us to support) relevant patches on the Microsoft Download Center that are not on Windows Update (which may or may not be supported by Windows Update in the future). In these cases, you may see Protect scanning for and recommending non-security patches that are not on Windows Update. As with all non-security updates, use your own judgment to determine if the specific patch is relevant to your organization and prioritize deployment of those patches accordingly.


    If a Protect Security Patch and/or WUScan scan shows my system as fully patched and Windows Update shows some missing High Priority updates, is my system really \"secure\"?
    Yes*. The Protect Security Patch (default) template scans for all security patches. The WUScan scan template scans for all security patches as well as non-security patches. Both of these templates identify any missing security patches that need to be installed on your system to consider it fully patched with respect to security patches. (* Secure in this sense means fully patched for security issues. Configuration settings may still be required to fully secure your system for non patch related items).


    Do I need to install all non-security High Priority items recommended by Windows Update?
    No. Security bulletin related patches are the most important items to install. You should install all security bulletin related patches (pending your internal testing). Non-security patches can be installed to help address specific non-security issues as the need arises. It is not necessary to install these High Priority non-security patches to be secure.


    Shavlik recommends scanning with the Security Patch Scan template and apply the patches that it finds missing. Use the non-security WUScan scan template as needed to find those non-security items that you wish to install.


    What if I see a non-security High Priority patch on Windows Update that is not listed in the Protect product?
    Submit your request at http://shavlik.featureidea.com/.


    Why does Protect show security updates that Windows Update does not show?

    The Protect application scans for security updates for both Microsoft and non-Microsoft products that Windows Update Microsoft Update does not scan for. For Microsoft products, this includes items such as Office 2000, Step by Step Interactive Training, Messenger, Services for Unix, FPSE, SQL 2000 (pre SP4), ISA Server.


    The Protect application also scans for security patches on non-Microsoft products such as Sun Java, Mozilla Firefox, Apple iTunes, Adobe Acrobat and Reader, Adobe Flash, Citrix, RealPlayer, and others. Windows Update does not scan for or patch these third party products.