Microsoft's recent security bulletins reveal a confusing pattern: vulnerabilities labeled as "Remote Code Execution" (RCE) with CVSS attack vector ratings of AV:L (Local). This apparent contradiction has left security professionals and IT administrators scratching their heads, but the explanation lies in Microsoft's layered approach to vulnerability description. The company uses two distinct classification systems that serve different purposes, creating confusion when viewed side by side.

When Microsoft publishes a security bulletin for an Office vulnerability, they typically include both a descriptive severity rating (Critical, Important, Moderate, Low) and a CVSS (Common Vulnerability Scoring System) score. The descriptive rating focuses on the potential impact if exploited, while the CVSS score provides a standardized technical assessment of the attack characteristics. This dual-system approach creates the apparent mismatch between "Remote Code Execution" and AV:L ratings.

Understanding Microsoft's Vulnerability Classification System

Microsoft's security bulletins serve two distinct audiences with different needs. The descriptive severity ratings (Critical, Important, etc.) are designed for IT administrators and decision-makers who need to understand the business impact of vulnerabilities. These ratings answer the question: "How bad would this be if exploited?" A "Critical" rating indicates that exploitation could lead to complete system compromise without user interaction, while "Important" typically requires some user action.

The CVSS scores, on the other hand, provide technical details for security professionals who need to understand the mechanics of exploitation. CVSS version 3.1, which Microsoft currently uses, includes eight metrics that collectively describe how a vulnerability can be exploited and what capabilities an attacker gains. The Attack Vector (AV) metric specifically describes how the attacker accesses the vulnerable component.

AV:L (Local) means the attacker must have local access to the target system, either through physical access or by having a local account. This contrasts with AV:N (Network), which indicates the vulnerability can be exploited over a network connection without local access. The confusion arises because Microsoft's descriptive severity rating focuses on the outcome (Remote Code Execution) while CVSS focuses on the attack path (Local access required).

The Office Vulnerability Scenario

Consider a typical Office vulnerability that illustrates this classification approach. Microsoft might rate a Word document vulnerability as "Critical - Remote Code Execution" while assigning a CVSS score with AV:L. Here's how both descriptions can be accurate: the vulnerability allows an attacker to execute arbitrary code on the victim's system (Remote Code Execution), but the attack vector requires the victim to open a malicious document locally (AV:L).

The "remote" in Remote Code Execution refers to the attacker's ability to execute code on a remote system, not necessarily the attack vector. An attacker could send a malicious Word document via email, and when the victim opens it locally, the attacker gains the ability to execute code on that system. From the victim's perspective, the code execution happens on their local machine, but from the attacker's perspective, they've achieved remote code execution on a system they don't physically control.

Practical Implications for Security Teams

This classification approach has significant implications for how organizations prioritize and remediate vulnerabilities. A vulnerability rated as "Critical - Remote Code Execution" with AV:L requires different defensive measures than one with AV:N. For AV:L vulnerabilities, the primary defense involves preventing malicious files from reaching users and ensuring proper application security controls.

Organizations should focus on email filtering, web content filtering, and user education about opening suspicious attachments. Application control policies that restrict which applications can run and what they can do become particularly important. Microsoft's own security recommendations for these vulnerabilities typically emphasize not opening files from untrusted sources and keeping Office applications updated.

For vulnerabilities with AV:N (Network attack vector), the defensive posture shifts to network segmentation, firewall rules, and intrusion detection systems. The attack surface is broader since the attacker doesn't need to trick a user into opening a file.

Microsoft's Historical Approach to Vulnerability Disclosure

Microsoft has used this dual-classification system for years, but it continues to cause confusion. The company's security bulletins date back to the early 2000s, and over time they've refined how they communicate vulnerability information. The addition of CVSS scores in recent years was meant to provide more standardized, technical information, but it has created this apparent contradiction with their traditional severity ratings.

Security researchers and IT professionals have repeatedly raised questions about this classification approach. Some argue that Microsoft should align their descriptive ratings more closely with CVSS terminology, while others appreciate having both business-impact and technical assessments. The current system represents a compromise between these competing needs.

Real-World Exploitation Patterns

Vulnerabilities classified as RCE with AV:L follow predictable exploitation patterns in the wild. Attackers typically use social engineering to deliver malicious Office documents via email phishing campaigns. The documents often contain macros, embedded objects, or specially crafted content that triggers the vulnerability when opened.

Recent examples include CVE-2023-21716, a Microsoft Word vulnerability rated as Critical with CVSS 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The bulletin describes it as a Remote Code Execution vulnerability, but the CVSS metrics show it requires local access (AV:L), user interaction (UI:R), and no privileges (PR:N). This combination describes exactly the scenario where a user opens a malicious document locally.

Another example is CVE-2023-23397, a Microsoft Outlook vulnerability that was actively exploited in the wild. While this had different characteristics (it was an elevation of privilege vulnerability), it demonstrates how local attack vectors (AV:L) can lead to significant security breaches when combined with user interaction.

The Evolution of CVSS and Microsoft's Implementation

The CVSS standard has evolved over time, and Microsoft's implementation has changed accordingly. CVSS version 2.0, which Microsoft used for many years, had a simpler attack vector metric that didn't distinguish as clearly between different types of local access. CVSS 3.0 and 3.1 introduced more granular metrics, including separating physical (AV:P) from local (AV:L) access.

Microsoft's transition to CVSS 3.x has made their vulnerability descriptions more precise but also more complex. The additional granularity helps security professionals understand exactly what conditions are needed for exploitation, but it can create confusion when compared to the simpler descriptive ratings.

Best Practices for Vulnerability Management

Security teams should develop processes that account for both Microsoft's descriptive ratings and CVSS scores. When evaluating Office vulnerabilities, consider:

  • The attack vector: AV:L means focus on endpoint protection and user education
  • The user interaction requirement: UI:R means the user must take an action (like opening a file)
  • The privileges required: PR:N means no special privileges are needed
  • The impact scores: C (Confidentiality), I (Integrity), A (Availability) indicate what the attacker can achieve

Organizations should prioritize patching based on both the potential impact (Critical vs Important) and the likelihood of exploitation. Vulnerabilities with AV:L but requiring user interaction may be less urgent than those with AV:N that require no user interaction, even if both are rated Critical.

The Future of Vulnerability Classification

As attack techniques evolve, so too must vulnerability classification systems. Microsoft faces ongoing challenges in balancing clear communication with technical precision. The current system, while confusing at first glance, serves different stakeholder needs effectively once understood.

Looking forward, we may see further refinements to how Microsoft communicates vulnerability information. The company could provide more explicit explanations of how their descriptive ratings relate to CVSS metrics, or they could develop additional guidance for different types of organizations. What's clear is that as Office remains a primary attack vector, understanding these classification nuances becomes increasingly important for effective security management.

Security professionals should continue to educate their organizations about these distinctions. The difference between "remote code execution" as an outcome and "local attack vector" as an access method is more than semantic—it dictates defensive strategies, patch prioritization, and risk assessment. By understanding both Microsoft's severity ratings and CVSS metrics, organizations can make better-informed security decisions and allocate resources more effectively.