Incorrect Severity Rating

nicksberger · March 25, 2019, 3:29pm

The following Jan patches should have a severity rating of Important, content team please update.

ID	Name	Source Severity
447138901	MS19-JAN: Security update for Microsoft Exchange Server 2019, 2016, and 2013 - Exchange Server 2013 CU21 SP1 - KB4471389 (x64)	Unspecified
447138905	MS19-JAN: Security update for Microsoft Exchange Server 2019, 2016, and 2013 - Exchange Server 2016 CU10 - KB4471389 (x64)	Unspecified
447138903	MS19-JAN: Security update for Microsoft Exchange Server 2019, 2016, and 2013 - Exchange Server 2016 CU11 - KB4471389 (x64)	Unspecified

reference - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0588

@BaiYunfei

Aram · March 25, 2019, 3:36pm

As a note, it seems the severity has not been specified/updated on Microsoft’s Update Catalog:

nicksberger · March 25, 2019, 3:38pm

Is that the same for 2016, as the link sent indicates Important ?

Aram · March 25, 2019, 3:40pm

Yes, each update I just checked includes an ‘unspecified’ severity:

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4471389

We can explore updating our content naturally, however, as a note, we generally reference the severity specified in the Microsoft Update Catalog.

nicksberger · March 25, 2019, 3:49pm

Thanks for checking Aram. Its one of those frustrating ones when Microsoft/BigFix differ significantly from tools like Nessus. This is one for Microsoft to address, and I guess BigFix will follow suit after …

JamesKrolak · March 25, 2019, 6:02pm

Man, if I had a nickel for every time Nessus reported a totally different severity than Microsoft…

bma · March 26, 2019, 12:23am

Sometimes the MS catalog can be inconsistent.

In this case, it makes sense to label these fixlets with the “Important” rating despite what the catalog reports.

The team has updated the fixlets in Patches for Windows version 3230.