Microsoft has modified the guidelines it uses to rate the severity of vulnerabilities in its products, as it works to deflect criticism of its security record.

However, some experts have accused the software giant of seeking to play down the threat posed by flaws with its introduction of the rating "Important" between the existing "Moderate" and "Critical" classifications.

Microsoft last week classified newly discovered vulnerabilities in Internet Explorer as Important, even though the most serious could allow an attacker to execute commands on a user's system - a danger that some believe merits the Critical classification.

Although Microsoft argued that the new system would allow more precise definitions of the threats posed by flaws, some experts said it could be used to downplay their severity. "I think there is a danger that some threats will be given a lower classification than before, and it's a pretty subjective decision whether they fall into the Critical or Important category," said Mark Lillycrop, chief executive of research firm Arcati.

Lillycrop added that Microsoft would do better to focus on speeding up the release of information on flaws. "There is really no excuse for Microsoft delaying the details of flaws, particularly if a tested patch is available," he said. "Users have the right to be informed they are at risk."

Microsoft also plans to set up an advisory mailing list for users who have less technical knowledge, offering simplified information regarding flaws and required actions.

Have your say: contact IT Week