Discovered vulnerabilities are normally classified by their level of seriousness. The reports produced by Microsoft's free Baseline Security Analyzer (MBSA), for example, show severity ratings in accordance with Microsoft's security recommendations, as well as specific remediation guidance.
Each highlighted vulnerability also includes the relevant Common Vulnerabilities and Exposures (CVE) ID. CVEs are standardized names for vulnerabilities and other information security exposures. They make it easier to share data across different vulnerability and security tools, creating a common reference language for security professionals. If your particular vulnerability scanner doesn't provide some sort of indication about a vulnerability's severity, or you want a second opinion, you can use the comprehensive vulnerability database maintained by Secunia. You can also search for vulnerabilities relating to a specific product or vendor, if you are concerned about a particular aspect of your system.
So in which order should you tackle any reported vulnerabilities? You need to secure your most critical assets first, which means you must classify your network resources in order of importance. To prioritize your assets, it's vital that you view your vulnerabilities as an attacker would. For example, a vulnerability exploitable only from inside your network probably doesn't take precedence over one exploitable from the Internet. I would start by patching vulnerabilities in key resources, installing all missing patches that have been highlighted as critical or important. Then, I would roll out fixes to other assets based on their priority level. Finally, run the scan again to create a new baseline and to ensure that all patches have been installed successfully.
You don't necessarily need to fix every problem. Certain vulnerabilities will not be applicable or may present a very low-risk to your particular system. Even if you did get to the point where your scanner doesn't report any vulnerabilities, it wouldn't mean that your system is perfectly secure. Although you should scan critical systems every 5 to 10 days, scanners can only check for certain known vulnerabilities, and your system will still be susceptible to unknown or emerging ones. This is why it is important to watch out for vendor security alerts and to have a process in place for testing and deploying new patches within an acceptable timeframe.
This was first published in February 2007