In order to protect users against attacks and to make them aware of the real-world risks associated with security vulnerabilities in its products, Adobe has added “priority ratings” to its security bulletins. Through this there will be a difference prominent between security vulnerabilities that are being targeted by live exploits, security flaws that are historically at elevated risk and also the vulnerabilities that they may be theoretically dangerous but are never targeted by attackers. This will make users more secure and up-to-date about what they could face harm from.
Here’s what the priority ratings look like according to ZDNet:
Priority 1: This update resolves vulnerabilities being targeted by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for instance, within 72 hours).
Priority 2: THis update resolves vulnerabilities in a product that has historically been at elevated risk. There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for instance, within 30 days).
Priority 3: This update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.
According to Adobe, these priority ratings are based on “historical attack patterns” that have help to determine what products could be attacked and what type of vulnerability is there. It also checks into account the platforms affected and any potential dangers the might occur. Hence, this increases the predictability level and threat perception. The existing severity ratings which are Critical, Important, Moderate and Low, will also be there in the new-look security warning.
David Lenoe said:
“This is a new system, so we may find that adjustments will need to be made. We also believe that continuing to use the current severity ratings makes sense, since this information has been helpful to many customers, so you can expect to see both ratings being used in future security bulletins.”