Vulnerability Assessment

The McAfee Vulnerability Assessment evaluates the severity of weaknesses in your systems or applications that may open the door to potential attacks. Vulnerabilities can pose significant risks to both businesses’ and consumers’ systems because attacks can threaten the access, availability, or confidentiality of systems, applications, and data. Our team of global threat experts strives to inform you about each vulnerability, its exploit details, and its risk level. We have created a methodology for establishing vulnerability risk to ensure consistency and transparency in our processes.

Our assessment is based on how easy it is to exploit the vulnerability, the impact of the exploitation, the availability of exploit code, and other factors. These assessments are not subject to rigorous algorithmic measurement, so judgment calls are often made when assigning a risk level.

Learn about McAfee Threat Assessment methodology.

Criteria for Assessing Vulnerabilities

McAfee Labs considers the following criteria when evaluating vulnerability risk:

Origins of potential attacks
Vulnerabilities can be exploitable from outside your network (“remotely exploitable”), or they can only be exploitable from a local network or on a particular user’s system (“locally exploitable”). A locally exploitable vulnerability can only be targeted by attackers within the network, while a remotely exploitable vulnerability can be targeted by insiders as well as by attackers outside the network.

Self-execution capabilities of attacks
Vulnerabilities can be exploited without any involvement by the victim, or they can only be exploited with the unwitting cooperation of the victim. In the latter, the victim is tricked into engaging in a certain activity, such as visiting a malicious website or opening a malicious media file.

Results of successful attacks
Vulnerabilities are exploited in order to execute code, elevate access privileges, obtain sensitive information, cause a denial of service of an application, service, or system, or enable extortion. In general, vulnerabilities that lead to code execution are the most dangerous, while vulnerabilities that result in a denial of service are far less dangerous. Denial-of-service attacks usually do not result in permanent damage.

In addition to the above criteria, we also take into account the availability of exploit code, the number of vulnerable systems or applications, and the configuration of the vulnerable software. The vulnerability assessment will change over time, depending on its lifecycle.

Vulnerability Risk Levels

Critical
Applies to vulnerabilities that were originally rated "High" but are elevated when exploit code is published.

High
Applies to remotely exploitable vulnerabilities that require no user interaction. When these vulnerabilities are successfully exploited, the result is permanent compromise of the attacked systems. This rating also applies to vulnerabilities that were originally rated "Medium" but are elevated when exploit code is published.

Medium
Applies to remotely exploitable vulnerabilities that require no user interaction and that, when successfully exploited, do not result in a permanent compromise of the attacked systems. It also applies to remotely exploitable vulnerabilities that require user interaction, and locally exploitable vulnerabilities that, when successfully exploited, result in a permanent compromise of the attacked systems.

Low
Applies to locally exploitable vulnerabilities that, when successfully leveraged, do not result in a permanent compromise of the attacked systems. Also applies to vulnerabilities that were originally rated "Medium" and are present only in a non-default configuration or in an application with a limited distribution.

The table below lists the Vulnerability Risk Levels based on the criteria mentioned above.

Back