This has caused some concern for me as well, I do not have all of the answers but will offer what I know, and what I think.
What I know:
On 960715 in the FAQ from MS it states:
Why does this advisory not have a security rating associated with it?
This update contains kill bits for third-party controls not owned by Microsoft. Microsoft does not provide a security rating for vulnerable third-party controls.
So while MS thinks this is of high concern it is not rated with a security severity.
I had looked that one up a few months back on an earlier version.
Now, for what I think:
I have found that if you run Windows Update you will often times find items in the Important or High section, that are not always security issues, but may be stability, etc fixes that are important in that stand point, but are not always important for security.
The .Net service packs are in this category, they are service packs that fix known issues, may add additional features, etc, but are not critical to the security of a system.
I hope that helps. We have a policy here to review each patch (as best we can) despite its security rating to determine if we should apply it. We have chosen to install the Active X patches (though it known to affect some application we do not use here).
From time to time, I will build a new system, patch it with LANDesk for all MS Low - Critical rated patches and then I will use Windows Update to see what I "missed" and determine if we should add those to our baseline.
It sometimes freaks a desktop tech out when they run Windows Updates and they see "high" patches in there, though we may have determined that we do not want to install them, etc.
The ADOBERD9v9.1.0_ENU (Adobe Reader) is wrong as well, it is more then critical, but rated medium.
I have sent this and the Flash Player ones to our TAM who is quick about getthing these issues resolved.
The severity levels for the Adobe vulnerability definitions listed above have been updated to reflect the severity ratings assigned by Adobe. Please redownload content to obtain the updated Adobe vulnerability definitions with the correct severity settings.
Thanks now the FlashplayerV10 and ADOBERD9v9.1.0 is rated as critical but not the previsous version.
how do you explain that ?
Based ont the Adobe website ALL version of the reader have been impacted.
Thanks for your help.
Adobe has not released patches for versions earlier then 9 at this point, they said those would be coming soon.
According to the Adobe site they will provide the fix for 7 and 8 next week.
From Adobe security bulletin:
Adobe is planning to make available updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, by March 18.
A security bulletin will be published on http://www.adobe.com/support/security as soon as product updates
for Adobe Reader 7 and 8, and Acrobat 7 and 8, are available.