Trend Micro assesses the risks posed by software vulnerabilities by considering the following:
The number and the significance of the threats that use them
Their potential and actual impact,
The difficulty or ease by which they can be exploited
Vulnerabilities are considered low, moderate, important, critical, or highly critical as described below.
Vulnerabilities considered highly critical are vulnerabilities associated with at least ten Internet threats, regardless of the impact of these Internet threats. Systems and networks not patched against these vulnerabilities will likely become infected due to the prevalence or sheer variety of associated Internet threats.
All vulnerabilities utilized by known Internet threats are critical. Vulnerabilities that remain unused by Internet threats, but that can facilitate the propagation of Internet threats across different systems, also fall under this category.
Vulnerabilities that compromise vital information and allow unauthorized access to passwords and other valuable data are automatically considered important. Vulnerabilities that compromise the integrity or availability of system resources are also in the same category.
Vulnerabilities that are hard to exploit because of default platform or applications settings, auditing, or sheer technical complexity, are considered moderate risk.
Low-risk vulnerabilities either have minimal impact on affected systems or are very difficult to exploit.
Endpoints that are considered risk-free may not be completely free of vulnerabilities. After a policy scan completes, a machine is risk-free if Vulnerability Scan does not detect vulnerabilities that have been identified by applicable policies for assessment. For example, if Network VirusWall Enforcer has only one policy and this policy is set to scan only for critical and highly critical vulnerabilities, Network VirusWall Enforcer will consider endpoints affected by low-risk vulnerabilities as risk-free.