1st Security Agent with IE Internet Security 6.1 serial key or number

CVSS Version Release

This page updates with each release of the CVSS standard. It is currently CVSS version , released in June If you wish to use a specific version of the Specification Document, use:

Also available in PDF format (KiB).

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base group represents the intrinsic qualities of a vulnerability that are constant over time and across user environments, the Temporal group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user's environment. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score. This document provides the official specification for CVSS version

The most current CVSS resources can be found at manicapital.com

CVSS is owned and managed by manicapital.com, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. FIRST reserves the right to update CVSS and this document periodically at its sole discretion. While FIRST owns all right and interest in CVSS, it licenses it to the public freely for use, subject to the conditions below. Membership in FIRST is not required to use or implement CVSS. FIRST does, however, require that any individual or entity using CVSS give proper attribution, where applicable, that CVSS is owned by FIRST and used by permission. Further, FIRST requires as a condition of use that any individual or entity which publishes scores conforms to the guidelines described in this document and provides both the score and the scoring vector so others can understand how the score was derived.

The Common Vulnerability Scoring System (CVSS) captures the principal technical characteristics of software, hardware and firmware vulnerabilities. Its outputs include numerical scores indicating the severity of a vulnerability relative to other vulnerabilities.

CVSS is composed of three metric groups: Base, Temporal, and Environmental. The Base Score reflects the severity of a vulnerability according to its intrinsic characteristics which are constant over time and assumes the reasonable worst case impact across different deployed environments. The Temporal Metrics adjust the Base severity of a vulnerability based on factors that change over time, such as the availability of exploit code. The Environmental Metrics adjust the Base and Temporal severities to a specific computing environment. They consider factors such as the presence of mitigations in that environment.

Base Scores are usually produced by the organization maintaining the vulnerable product, or a third party scoring on their behalf. It is typical for only the Base Metrics to be published as these do not change over time and are common to all environments. Consumers of CVSS should supplement the Base Score with Temporal and Environmental Scores specific to their use of the vulnerable product to produce a severity more accurate for their organizational environment. Consumers may use CVSS information as input to an organizational vulnerability management process that also considers factors that are not part of CVSS in order to rank the threats to their technology infrastructure and make informed remediation decisions. Such factors may include: number of customers on a product line, monetary losses due to a breach, life or property threatened, or public sentiment on highly publicized vulnerabilities. These are outside the scope of CVSS.

The benefits of CVSS include the provision of a standardized vendor and platform agnostic vulnerability scoring methodology. It is an open framework, providing transparency to the individual characteristics and methodology used to derive a score.

Metrics

CVSS is composed of three metric groups: Base, Temporal, and Environmental, each consisting of a set of metrics, as shown in Figure 1.

Figure 1: CVSS Metric Groups

The Base metric group represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. It is composed of two sets of metrics: the Exploitability metrics and the Impact metrics.

The Exploitability metrics reflect the ease and technical means by which the vulnerability can be exploited. That is, they represent characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component. The Impact metrics reflect the direct consequence of a successful exploit, and represent the consequence to the thing that suffers the impact, which we refer to formally as the impacted component.

While the vulnerable component is typically a software application, module, driver, etc. (or possibly a hardware device), the impacted component could be a software application, a hardware device or a network resource. This potential for measuring the impact of a vulnerability other than the vulnerable component, was a key feature introduced with CVSS v This property is captured by the Scope metric, discussed later.

The Temporal metric group reflects the characteristics of a vulnerability that may change over time but not across user environments. For example, the presence of a simple-to-use exploit kit would increase the CVSS score, while the creation of an official patch would decrease it.

The Environmental metric group represents the characteristics of a vulnerability that are relevant and unique to a particular user’s environment. Considerations include the presence of security controls which may mitigate some or all consequences of a successful attack, and the relative importance of a vulnerable system within a technology infrastructure.

Each of these metrics are discussed in further detail below. The User Guide contains scoring rubrics for the Base Metrics that may be useful when scoring.

Scoring

When the Base metrics are assigned values by an analyst, the Base equation computes a score ranging from to as illustrated in Figure 2.

Figure 2: CVSS Metrics and Equations

Specifically, the Base equation is derived from two sub equations: the Exploitability sub-score equation, and the Impact sub-score equation. The Exploitability sub-score equation is derived from the Base Exploitability metrics, while the Impact sub-score equation is derived from the Base Impact metrics.

The Base Score can then be refined by scoring the Temporal and Environmental metrics in order to more accurately reflect the relative severity posed by a vulnerability to a user’s environment at a specific point in time. Scoring the Temporal and Environmental metrics is not required, but is recommended for more precise scores.

Generally, the Base and Temporal metrics are specified by vulnerability bulletin analysts, security product vendors, or application vendors because they typically possess the most accurate information about the characteristics of a vulnerability. The Environmental metrics are specified by end-user organizations because they are best able to assess the potential impact of a vulnerability within their own computing environment.

Scoring CVSS metrics also produces a vector string, a textual representation of the metric values used to score the vulnerability. This vector string is a specifically formatted text string that contains each value assigned to each metric, and should always be displayed with the vulnerability score.

The scoring equations and vector string are explained further below.

Note that all metrics should be scored under the assumption that the attacker has already located and identified the vulnerability. That is, the analyst need not consider the means by which the vulnerability was identified. In addition, it is likely that many different types of individuals will be scoring vulnerabilities (e.g., software vendors, vulnerability bulletin analysts, security product vendors), however, note that vulnerability scoring is intended to be agnostic to the individual and their organization.

Exploitability Metrics

As previously mentioned, the Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component. Therefore, each of the Exploitability metrics listed below should be scored relative to the vulnerable component, and reflect the properties of the vulnerability that lead to a successful attack.

When scoring Base metrics, it should be assumed that the attacker has advanced knowledge of the weaknesses of the target system, including general configuration and default defense mechanisms (e.g., built-in firewalls, rate limits, traffic policing). For example, exploiting a vulnerability that results in repeatable, deterministic success should still be considered a Low value for Attack Complexity, independent of the attacker's knowledge or capabilities. Furthermore, target-specific attack mitigation (e.g., custom firewall filters, access lists) should instead be reflected in the Environmental metric scoring group.

Specific configurations should not impact any attribute contributing to the CVSS Base Score, i.e., if a specific configuration is required for an attack to succeed, the vulnerable component should be scored assuming it is in that configuration.

Attack Vector (AV)

This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base Score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater Base Score. The list of possible values is presented in Table 1.

Table 1: Attack Vector

Scoring Guidance: When deciding between Network and Adjacent, if an attack can be launched over a wide area network or from outside the logically adjacent administrative network domain, use Network. Network should be used even if the attacker is required to be on the same intranet to exploit the vulnerable system (e.g., the attacker can only exploit the vulnerability from inside a corporate network).

Attack Complexity (AC)

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. As described below, such conditions may require the collection of more information about the target, or computational exceptions. Importantly, the assessment of this metric excludes any requirements for user interaction in order to exploit the vulnerability (such conditions are captured in the User Interaction metric). If a specific configuration is required for an attack to succeed, the Base metrics should be scored assuming the vulnerable component is in that configuration. The Base Score is greatest for the least complex attacks. The list of possible values is presented in Table 2.

Table 2: Attack Complexity

As described in Section , detailed knowledge of the vulnerable component is outside the scope of Attack Complexity. Refer to that section for additional guidance when scoring Attack Complexity when target-specific attack mitigation is present.

Privileges Required (PR)

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. The Base Score is greatest if no privileges are required. The list of possible values is presented in Table 3.

Table 3: Privileges Required

Scoring Guidance: Privileges Required is usually None for hard-coded credential vulnerabilities or vulnerabilities requiring social engineering (e.g., reflected cross-site scripting, cross-site request forgery, or file parsing vulnerability in a PDF reader).

User Interaction (UI)

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The Base Score is greatest when no user interaction is required. The list of possible values is presented in Table 4.

Table 4: User Interaction

Scope (S)

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.

Formally, a security authority is a mechanism (e.g., an application, an operating system, firmware, a sandbox environment) that defines and enforces access control in terms of how certain subjects/actors (e.g., human users, processes) can access certain restricted objects/resources (e.g., files, CPU, memory) in a controlled manner. All the subjects and objects under the jurisdiction of a single security authority are considered to be under one security scope. If a vulnerability in a vulnerable component can affect a component which is in a different security scope than the vulnerable component, a Scope change occurs. Intuitively, whenever the impact of a vulnerability breaches a security/trust boundary and impacts components outside the security scope in which vulnerable component resides, a Scope change occurs.

The security scope of a component encompasses other components that provide functionality solely to that component, even if these other components have their own security authority. For example, a database used solely by one application is considered part of that application’s security scope even if the database has its own security authority, e.g., a mechanism controlling access to database records based on database users and associated database privileges.

The Base Score is greatest when a scope change occurs. The list of possible values is presented in Table 5.

Table 5: Scope

Impact Metrics

The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve.

Only the increase in access, privileges gained, or other negative outcome as a result of successful exploitation should be considered when scoring the Impact metrics of a vulnerability. For example, consider a vulnerability that requires read-only permissions prior to being able to exploit the vulnerability. After successful exploitation, the attacker maintains the same level of read access, and gains write access. In this case, only the Integrity impact metric should be scored, and the Confidentiality and Availability Impact metrics should be set as None.

Note that when scoring a delta change in impact, the final impact should be used. For example, if an attacker starts with partial access to restricted information (Confidentiality Low) and successful exploitation of the vulnerability results in complete loss in confidentiality (Confidentiality High), then the resultant CVSS Base Score should reference the “end game” Impact metric value (Confidentiality High).

If a scope change has not occurred, the Impact metrics should reflect the Confidentiality, Integrity, and Availability impacts to the vulnerable component. However, if a scope change has occurred, then the Impact metrics should reflect the Confidentiality, Integrity, and Availability impacts to either the vulnerable component, or the impacted component, whichever suffers the most severe outcome.

Confidentiality (C)

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The Base Score is greatest when the loss to the impacted component is highest. The list of possible values is presented in Table 6.

Table 6: Confidentiality

Integrity (I)

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. The Base Score is greatest when the consequence to the impacted component is highest. The list of possible values is presented in Table 7.

Table 7: Integrity

Availability (A)

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the impacted component, this metric refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component. The Base Score is greatest when the consequence to the impacted component is highest. The list of possible values is presented in Table 8.

Table 8: Availability

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability.

Exploit Code Maturity (E)

This metric measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. Public availability of easy-to-use exploit code increases the number of potential attackers by including those who are unskilled, thereby increasing the severity of the vulnerability. Initially, real-world exploitation may only be theoretical. Publication of proof-of-concept code, functional exploit code, or sufficient technical details necessary to exploit the vulnerability may follow. Furthermore, the exploit code available may progress from a proof-of-concept demonstration to exploit code that is successful in exploiting the vulnerability consistently. In severe cases, it may be delivered as the payload of a network-based worm or virus or other automated attack tools.

The list of possible values is presented in Table 9. The more easily a vulnerability can be exploited, the higher the vulnerability score.

Table 9 : Exploit Code Maturity

Remediation Level (RL)

The Remediation Level of a vulnerability is an important factor for prioritization. The typical vulnerability is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of these respective stages adjusts the Temporal Score downwards, reflecting the decreasing urgency as remediation becomes final. The list of possible values is presented in Table The less official and permanent a fix, the higher the vulnerability score.

Table Remediation Level

Report Confidence (RC)

This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. Sometimes only the existence of vulnerabilities is publicized, but without specific details. For example, an impact may be recognized as undesirable, but the root cause may not be known. The vulnerability may later be corroborated by research which suggests where the vulnerability may lie, though the research may not be certain. Finally, a vulnerability may be confirmed through acknowledgment by the author or vendor of the affected technology. The urgency of a vulnerability is higher when a vulnerability is known to exist with certainty. This metric also suggests the level of technical knowledge available to would-be attackers. The list of possible values is presented in Table The more a vulnerability is validated by the vendor or other reputable sources, the higher the score.

Table Report Confidence

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of complementary/alternative security controls in place, Confidentiality, Integrity, and Availability. The metrics are the modified equivalent of Base metrics and are assigned values based on the component placement within organizational infrastructure.

Security Requirements (CR, IR, AR)

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each Security Requirement has three possible values: Low, Medium, or High.

The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentiality impact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.

Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to High will not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the Modified Impact Sub-Score (part of the Modified Base Score that calculates impact) is already at a maximum value of

The list of possible values is presented in Table For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default).

Table Security Requirements

Modified Base Metrics

These metrics enable the analyst to override individual Base metrics based on specific characteristics of a user’s environment. Characteristics that affect Exploitability, Scope, or Impact can be reflected via an appropriately modified Environmental Score.

The full effect on the Environmental score is determined by the corresponding Base metrics. That is, these metrics modify the Environmental Score by overriding Base metric values, prior to applying the Environmental Security Requirements. For example, the default configuration for a vulnerable component may be to run a listening service with administrator privileges, for which a compromise might grant an attacker Confidentiality, Integrity, and Availability impacts that are all High. Yet, in the analyst’s environment, that same Internet service might be running with reduced privileges; in that case, the Modified Confidentiality, Modified Integrity, and Modified Availability might each be set to Low.

For brevity, only the names of the Modified Base metrics are mentioned. Each Modified Environmental metric has the same values as its corresponding Base metric, plus a value of Not Defined. Not Defined is the default and uses the metric value of the associated Base metric.

The intent of this metric is to define the mitigations in place for a given environment. It is acceptable to use the modified metrics to represent situations that increase the Base Score. For example, the default configuration of a component may require high privileges to access a particular function, but in the analyst’s environment there may be no privileges required. The analyst can set Privileges Required to High and Modified Privileges Required to None to reflect this more serious condition in their particular environment.

The list of possible values is presented in Table

Table Modified Base Metrics

For some purposes it is useful to have a textual representation of the numeric Base, Temporal and Environmental scores. All scores can be mapped to the qualitative ratings defined in Table [^3]

Table Qualitative severity rating scale

As an example, a CVSS Base Score of has an associated severity rating of Medium. The use of these qualitative severity ratings is optional, and there is no requirement to include them when publishing CVSS scores. They are intended to help organizations properly assess and prioritize their vulnerability management processes.

The CVSS v vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form.

The CVSS v vector string begins with the label “CVSS:” and a numeric representation of the current version, “”. Metric information follows in the form of a set of metrics, each preceded by a forward slash, “/”, acting as a delimiter. Each metric is a metric name in abbreviated form, a colon, “:”, and its associated metric value in abbreviated form. The abbreviated forms are defined earlier in this specification (in parentheses after each metric name and metric value), and are summarized in the table below.

A vector string should contain metrics in the order shown in Table 15, though other orderings are valid. All Base metrics must be included in a vector string. Temporal and Environmental metrics are optional, and omitted metrics are considered to have the value of Not Defined (X). Metrics with a value of Not Defined can be explicitly included in a vector string if desired. Programs reading CVSS v vector strings must accept metrics in any order and treat unspecified Temporal and Environmental as Not Defined. A vector string must not include the same metric more than once.

Table Base, Temporal and Environmental Vectors

For example, a vulnerability with Base metric values of “Attack Vector: Network, Attack Complexity: Low, Privileges Required: High, User Interaction: None, Scope: Unchanged, Confidentiality: Low, Integrity: Low, Availability: None” and no specified Temporal or Environmental metrics would produce the following vector:

The same example with the addition of “Exploitability: Functional, Remediation Level: Not Defined” and with the metrics in a non-preferred ordering would produce the following vector:

The CVSS v equations are defined in the sub-sections below. They rely on helper functions defined as follows:

• Minimum returns the smaller of its two arguments.
• Roundup returns the smallest number, specified to 1 decimal place, that is equal to or higher than its input. For example, Roundup () returns ; and Roundup () returns . To ensure consistent results across programming languages and hardware, see Appendix A for advice to Implementers on avoiding small inaccuracies introduced in some floating point implementations.

Substitute Individual metrics used in equations with the associated constant listed in Section

Base Metrics Equations

The Base Score formula depends on sub-formulas for Impact Sub-Score (ISS), Impact, and Exploitability, all of which are defined below:

Temporal Metrics Equations

Environmental Metrics Equations

The Environmental Score formula depends on sub-formulas for Modified Impact Sub-Score (MISS), ModifiedImpact, and ModifiedExploitability, all of which are defined below:

Note that the exponent at the end of the ModifiedImpact sub-formula is 13, which differs from CVSS v See the User Guide for more details of this change.

Metric Values

Each metric value has an associated constant which is used in the formulas, as defined in Table

Table Metric values

A Word on CVSS v Equations and Scoring

The CVSS v formula provides a mathematical approximation of all possible metric combinations ranked in order of severity (a vulnerability lookup table). To produce the CVSS v formula, the CVSS Special Interest Group (SIG) framed the lookup table by assigning metric values to real vulnerabilities, and a severity group (low, medium, high, critical). Having defined the acceptable numeric ranges for each severity level, the SIG then collaborated with Deloitte & Touche LLP to adjust formula parameters in order to align the metric combinations to the SIG's proposed severity ratings.

Given that there are a limited number of numeric outcomes ( outcomes, ranging from to ), multiple scoring combinations may produce the same numeric score. In addition, some numeric scores may be omitted because the weights and calculations are derived from the severity ranking of metric combinations. Further, in some cases, metric combinations may deviate from the desired severity threshold. This is unavoidable and a simple correction is not readily available because adjustments made to one metric value or equation parameter in order to fix a deviation, cause other, potentially more severe deviations.

By consensus, and as was done with CVSS v, the acceptable deviation was a value of That is, all the metric value combinations used to derive the weights and calculation will produce a numeric score within its assigned severity level, or within of that assigned level. For example, a combination expected to be rated as a “high” may have a numeric score between and Finally, CVSS v retains the range from to for backward compatibility.

Simple implementations of the Roundup function defined in Section 7 are likely to lead to different results across programming languages and hardware platforms. This is due to small inaccuracies that occur when using floating point arithmetic. For example, although the intuitive result of  +  is , JavaScript implementations on many systems return . A simple implementation of Roundup would round this up to to , which is counter-intuitive.

Implementers of CVSS formulas must take steps to avoid these types of problems. Different techniques may be required for different languages and platforms, and some may offer standard functionality that minimizes or fully avoids such problems.

A suggested approach is for the Roundup function to first multiply its input by , and convert it to the nearest integer. The rounding up should then be performed using only integer arithmetic, which is not subject to floating point inaccuracies. An example of pseudocode for such an implementation is:

The floor function on line 6 represents integer division, i.e., the largest integer value less than or equal to its input. Many programming languages include a floor function as standard.

Line 3 checks if the least significant four digits of the integer are all zeroes, e.g., an input of would be converted by line 2 into ,, making the result of the modulo operation 0 and therefore the if statement condition is true. If true, no additional rounding is required. If false, the integer is incremented by before being returned, though line 6 performs this on numbers ten times bigger than the result will be in order to use integer arithmetic.

FIRST sincerely recognizes the contributions of the following CVSS Special Interest Group (SIG) members, listed in alphabetical order:

• Adam Maris (Red Hat)
• Arkadeep Kundu (Dell)
• Arnold Yoon (Dell)
• Art Manion (CERT/CC)
• Bruce Lowenthal (Oracle)
• Bruce Monroe (Intel)
• Charles Wergin (NIST)
• Christopher Turner (NIST)
• Cosby Clark (IBM)
• Dale Rich (Depository Trust & Clearing Corporation)
• Damir 'Gaus' Rajnovic (Panasonic)
• Daniel Sommerfeld (Microsoft)<- Darius Wiles (Oracle)
• Dave Dugal (Juniper)
• Deana Shick (CERT/CC)
• Fabio Olive Leite (Red Hat)
• James Kohli ️(GE Healthcare)
• Jeffrey Heller (Sandia National Laboratories)
• John Stuppi (Cisco)
• Jorge Orchilles (Citi)
• Karen Scarfone (Scarfone Cybersecurity)
• Luca Allodi (Eindhoven University of Technology)
• Masato Terada (Information-Technology Promotion Agency, Japan)
• Max Heitman (Citi)
• Melinda Rosario (SecureWorks)
• Nazira Carlage (Dell)
• Rani Kehat (Radiflow)
• Renchie Abraham (SAP)
• Sasha Romanosky (Carnegie Mellon University)
• Scott Moore (IBM)
• Troy Fridley (Cisco)
• Vijayamurugan Pushpanathan (Schneider Electric)
• Wagner Santos (UFCG)

FIRST would also like to thank Abigail Palacios and Vivian Smith from Conrad Inc. for their tireless work facilitating the CVSS SIG meetings.

• CVSS main page - manicapital.com
  The main web page for all CVSS resources, including the most recent version of the CVSS standard.

• Specification Document - manicapital.com
  The latest revision of this document, defining the metrics, formulas, qualitative rating scale and vector string.

• User Guide - manicapital.com
  A companion to the Specification, the User Guide includes further discussion of the CVSS standard including particular use cases, guidelines on scoring, scoring rubrics, and a glossary of the terms used in the Specification and User Guide documents.

• Examples Document - manicapital.com
  Includes scores of public vulnerabilities and explanations of why particular metric values were chosen.

• Calculator - manicapital.com
  A reference implementation of the CVSS standard that can be used for generating scores. The underlying code is documented and can be used as part of other implementations.

• JSON and XML Schemas - manicapital.com
  Data representations for CVSS metrics, scores and vector strings in JSON Schema and XML Schema Definition (XSD) representations. These can be used to store and transfer CVSS information in defined JSON and XML formats.

An address book is a place where you can keep and organize your remote connections. Each connection represents a specific remote computer. Connections have properties such as the destination address, access password (if saved), color depth and so on.

Remote Utilities allows you to back up and encrypt your address books stored locally.

Related links: Address book

The Host is a remote module installed on a target (i.e. remote) PC. This module works for both unattended and attended access.

Related links: About Remote Utilities

MSI Configurator is a built-in tool that helps you create a custom Host or Agent installer for deployment across your remote computers.

Related links: MSI configuration

Auto-import is a feature available with the self-hosted server. When this feature is enabled, remote Hosts that connect to your self-hosted server are automatically added to the specified folder in your server address book as new connections:

Related links: RU Server

Viewer is a single "command center" used by a support technician/admin. The Viewer is where you keep your address book, start remote sessions and manage your licenses.

Related links: About Remote Utilities

Full Control and View mode allows you to view the remote screen, move the remote mouse pointer and send clicks/keystrokes. You can switch between Full Control and View Only modes by using an icon on the mode window toolbar.

Related links: Connection modes

Single password security is one of the four available authorization methods in Remote Utilities. This is the simplest authorization method — in order to successfully log in on a remote Host you only need to enter the access password.

Related links: Getting started, Host settings

Remote Utilities Security

Remote Utilities Security is one of the four authorization methods available in Remote Utilities. With this method enabled you authorize on a remote Host using a login/password pair. Different users can be created on the remote Host with different access permissions.

Related links: Host settings

Windows Security is one of the four authorization methods available in Remote Utilities. This method allows you to authorize on remote Hosts using your Windows and/or Active Directory account credentials.

Related links: Host settings

Custom server security is one of the four authorization methods available in Remote Utilities. Using this method you sign in on your self-hosted server in your Viewer app and can further access your remote Hosts in one click without entering access credentials. Learn how to set up custom server security

Related links: RU Server

An Internet-ID connection uses an intermediary server on the Web ("Internet-ID server") to broker a remote connection between Viewer and Host.

Related links: Getting started

Agent is a remote module for spontaneous-only support. The Agent displays its own window that can be branded with your custom logo and text. Agent doesn't require installation and administrative privileges to run.

Related links: About Remote Utilities

The Dashboard is an informational panel located in the Host settings. It summarizes information about direct and Internet-ID connections as well as enabled authorization methods for the given Host.

Related links: Host settings

Each connection in the Viewer's address book has individual properties that you can edit. You can also set custom defaults for newly created connections.

Related links: Address book

The notification panel is a small window shown on the remote side during a remote session. It notifies the remote user that an active remote session is currently in progress.

Related links: Special features

A direct connection is possible when the Host is in direct visibility to the Viewer, i.e. the Host can be addressed by its IP address or hostname (DNS name).

This connection type does not require any intermediary (relay) servers in-between Viewer and Host and is by definition the fastest way to access a remote Host.

Learn more about direct connection

Related links: Getting started, Ports and port forwarding

Remote Utilities for Windows Beta 2 (Viewer repackage)

Released on May 18,

• Fixed: Viewer address book and configuration files are saved to the correct %appdata% folder now (Remote Utilities instead of Remote Manipulator System)

Remote Utilities for Windows Beta 2

Released on May 6,

• Added: New blank remote screen mechanism that allows adding a custom text to the remote screen when it is blanked. Note: The new mechanism has replaced the old driver-based mechanism. The "monitor driver" has been discontinued and no longer needs to be installed for blank remote screen to work.
• Added: TLS support when sending emails using the "SMTP" feature
• Added: Clipboard transfer can now be disabled in Host settings for added security/privacy
• Added: Maximum address book thumbnail size is now px instead of px
• Fixed: Memory leak issues when running Host/Agent on certain configurations that could cause Host/Agent to freeze
• Fixed: NTLM authentication issue in Viewer running on a computer with online Microsoft account
• Minor fixes and improvements

RU Server Beta 2

Released on May 6,

• Added: Port manager that allows for more granular port settings. For example, different roles and IP filters can be set for different ports.
• Fixed: Some issues that could make RU server freeze during custom server security authorization or when viewing active/idle connections in the Admin Console

Remote Utilities for Windows Beta 1

Released on February 3,

• Added: Signing in on a self-hosted server is now in background (status is shown in the status bar)
• Added: Viewer-to-RUServer and Host-to-RUServer authorization is now TLS based instead of RSA, which makes authorization on the server significantly faster
• Added: Reconnecting to (signing in on) a self-hosted server automatically when connection is interrupted
• Added: "Send clipboard as keystrokes" feature added (e.g. this may help when entering passwords on remote Windows welcome screen)
• Fixed: Fixed issue with some keys (Enter, Shift) not working on a remote computer in some circumstances
• Fixed: Some issues with advanced mouse scroll
• Fixed: Minor fixes and improvements

Viewer for Mac and Linux q Beta 2

Released on December 24,

• Added: Send Ctrl+Alt+Del command
• Added: Displaying remote cursor shape (rendering of Host's cursor)
• Added: Advanced mouse scroll (moving the cursor to screen edges to scroll the picture)

Viewer for Mac and Linux q Beta 1

Released on December 12,

Features available in Viewer for Mac/Linux Beta 1:

• Full control and view connection mode
• Direct and Internet-ID connection
• Single password and Remote Utilities security
• Address book in XML format compatible with Windows Viewer
• Multiple address books and address books manager
• Normal and Stretch options for the view mode

RU Server

Released on November 28,

• Minor fixes and improvements.

Remote Utilities

Released on July 2,

• Fixed an issue that caused the system to crash when applying Windows updates KB and KB on some systems. It is advised to first update Remote Utilities before applying those Windows updates;
• Minor fixes and improvements.

Remote Utilities

Released on April 30,

• Fixed an issue that caused connections in the address book to briefly go offline and back online even on a stable Internet connection.
• Fixed an issue that sometimes caused Host service to stop after authorization.

RU Server

Released on April 16,

• Fixed an issue that caused folders and entries in a synced address book on the Viewer side to disappear after being edited.

Remote Utilities and RU Server

Released on April 14,

• Synchronization of large address books via the self-hosted server (RU Server) was improved.
• Keyboard input model in Viewer connection properties can now be explicitly selected on the Keyboard tab.
• Fixed an issue with RU Server which would sometimes cause client authorization to drop.
• Fixed an issue with email notifications not sent via SMTP when using non-Latin characters in computer name.
• Minor fixes and improvements.

Remote Utilities and RU Server

Released on February 6,

• Fixed an issue with certain keyboard shortucts not working after the previous program update.
• Fixed an issue with blank remote screen feature not working on Windows 10 in some cases.
• Minor fixes and improvements.

Remote Utilities and RU Server

Released on January 1,

• Ability to switch to the legacy keyboard input model in Viewer connection properties.
• Fixed an issue with certain Windows hotkeys and key combinations not working.

Remote Utilities

Released on December 26,

• Ability to specify your own SMTP settings in the MSI Configurator for the "Send email" feature. Note: This feature has replaced the old mechanism of sending emails via our hosted service.
• Local cursor now takes the shape of the remote cursor. This lets the program display different remote cursor states (such as column resizing arrows) correctly.
• Fixed an issue with some Settings protection checkboxes not saving in Host configuration window.
• Remote printing now works with apps such as Edge and Photos.
• Session video recording consumes less CPU resouces on the Viewer. Session videos now show the remote cursor.
• Fixed an issue with RU Server's Auto-import feature which caused RU Server service to hang/freeze in certain conditions.
• Switching to the main Viewer window is now possible even when an authorization prompt window is being displayed. The authorization prompt window is no longer modal.
• Fixed a bug which would sometimes cause switching the typing focus away from the mini-chage window in Full Control connection mode.
• Minor fixes and improvements.

Remote Utilities

Released on October 19,

• Authorization methods Single-password security, RU Security, Windows security and Custom Server Security can now be enabled simultaneously using checkboxes.
• 2-step verification has been added. You can use Google Authenticator or any other similar app to receive the security code when connecting to a remote Host.
• The self-hosted server can now be protected with a PIN-code against unauthorized use of the Internet-ID feature by strangers who happen to find out or guess the server's address and port.
• You can now remotely restart the Agent as administrator (provided you know the credentials) in order to perform the necessary tasks during a remote session, such as installing programs and interacting with UAC prompts.
• The use of the self-hosted server's Internet-ID feature can now be restricted to authorized users only (i.e. permission-based use of the Internet-ID).
• Single-password security is now more clearly separated from Remote Utilities Security in connection properties on the Viewer side. Namely, the password and username/password can be saved separately for each of these two authorization methods.
• Data encryption protocol has been changed to a more modern TLS
• Host authority is now verified automatically based on certificates. If Host certificate has been changed the Viewer receives a warning.
• New and more streamlined Host settings interface with a Dashboard that summarizes the most important details.
• The remote screen transfer speed of dynamically changing content (e.g. videos) over slow connections has been increased.
• New "Log off on disconnect" option added to connection properties.
• "Force custom server security" option can now be enabled for a user account on RU Server. This option, when enabled, forces this specific user to connect to Hosts using Custom Server Security only (provided the user is signed in on the server).
• Left-hand mouse support.
• Remote Utilities monitor driver (the one used for blanking remote screen) now works on Windows 10 with secure boot enabled.
• Data transmission protocol for the remote sound feature has been updated. The new protocol is not backward compatible with older versions.
• A bug that would cause a folder in an address book to disappear when dragged onto itself.
• A bug that would cause the notification panel to stay on the desktop even after remote connection was closed or terminated.
• A bug that would cause the address book file to get corrupted in some cases after closing the Viewer.
• A bug that would cause the Viewer to show a warning when trying to unbind hotkeys in Viewer options.
• Minor fixes and improvements.

Remote Utilities

Released on August 26,

• Custom Host installers built with the MSI Configurator can now be digitally signed. Learn more
• Minor fixes and improvements.

Remote Utilities

Released on July 6,

• An option in the Host settings that when enabled integrates Host with Windows Firewall at system startup.
• A special check/mechanism that should fix the issue with Host service not starting sometimes after the upgrade and issues with uninstalling the Host.
• Fixed issues with Custom Server Security not working properly when Windows security is enabled as an alternative authorization method.
• Minor fixes and improvements.

Remote Utilities

Released on June 28,

• A new license type - STARTER license - is now offered.
• The Power Control mode commands (restart, shut down etc.) can now be applied to multiple connections in the address book.
• Automatic online status checks are now available for direct connections. This option needs to be enabled in connection properties.
• Updated display rules for the "Remote Utilities has been installed" message, which appears when "Generate Internet-ID" option is selected during MSI Configuration.
• The "exit" command now works properly in the Terminal mode.
• An issue with the notification panel randomly changing its location on the screen in some circumstances.
• An issue with connections added to a synced address book via code not being synced properly with the server address book.
• A problem with proper Windows username display in the User column in the Details view.
• A problem with the Viewer freezing when Wake-on-LAN is run on multiple connections at once.
• Minor fixes and improvements.

Remote Utilities

Released on May 1,

• Custom Server Security, if enabled, now overrides Windows security.
• Minor fixes and improvements.

Remote Utilities

Released on April 20,

• Improved "Internet-ID" tab in the MSI Configurator. All Internet-ID settings are now in one place.
• Improved "Settings update" tab in the MSI Configurator.
• When using the "Add using code" feature the remote computer name is automatically used as the connection name.
• The encrypted code sent via email now also contains a custom Internet-ID server address, if used.
• The "Add new connection" button in the contents pane of the address book can now be hidden in Viewer options.
• An automatically generated password created when using the MSI Configurator is now longer and more secure.
• A bug that allowed elevation of remote user's rights when opening Internet Explorer from the notification window has been fixed.
• Minor fixes and improvements.

Remote Utilities

Released on March 28,

• Minor fixes and improvements.

Remote Utilities

Released on March 27,

• Instant search across all address books open in Viewer.
• Address book navigation bar similar to the address bar in Windows Explorer the navigation bar lets you quickly navigate back along the current path.
• A special "All connections" item in the Viewer address book tree that displays all connections across all address books.
• Permissions in RU-Server address book can now be selectively applied to either the object and its subobjects, object only or subobjects only. This allows for better planning and organization when setting permissions in a multi-user environment.
• European Portuguese interface language.
• Host installation notifications now do not require remote user to click on the Accept button instead an informational message is displayed after Host installation.
• Internet-ID is now digit (e.g. ) instead of 9-digit (e.g. ). This is to eliminate possible duplication issues and improve overall stability.
• An issue with connections showing OFFLINE status even though they were online has been fixed.
• Internet-ID can now be randomly generated on a given Host the "fixed ID" change that was introduced in version has now been rolled back.
• Minor fixes and improvements.

Remote Utilities

Released on December 12,

• A bug that caused online status notifications still show in the system tray despite the corresponding check box being unchecked in Viewer options
• Minor fixes and improvements

Remote Utilities

Released on December 10,

• A bug that would cause creating duplicate Internet-IDs on cloned machines
• Minor fixes and improvements

Remote Utilities

Released on December 6,

• Multiple address books that can be synchronized through the RU Server.
• Centralized permissions management in the RU Server. Users and groups can be created, and each user or group assigned different permissions for accessing the address books, synchronized through the server.
• Additional authorization method to the Host – “Custom server security”. With this authorization method the RU server acts as a “domain controller” for the Host. You can use accounts created on the RU server to authorize on the Host.
• The Blank remote screen feature for Windows 8 and higher (requires agreeing to install an additional driver during Host installation).
• Local address book encryption in the Viewer. When enabled, the user must enter the unlock password to start working with the Viewer and to get access to the contents of the address books.
• RU server now keeps a connection/error log.
• In addition to /name and /password the Viewer now accepts remote computer’s IP address and Internet ID as parameters.
• You can install and uninstall RU printer and RU monitor drivers in the Host settings.
• Chat messages can now be sent by pressing Enter.
• “Run after reboot” option for Agent
• Auto-import - Hosts connected to the self-hosted server (RU Server) are automatically added to a designated address book folder
• Encrypted address books can now be imported into the Viewer
• Connections in the Viewer's address book can now display online status for Internet-ID connection type.
• A notification appears in the system tray whenever a remote PC comes online
• New license type per operator mini.
• Connections can be dragged from a folder in a local address book and dropped into a folder in a cloud address book and vice versa
• RU Server is now capable to maintain up to , Hosts simultaneously.
• Password prompt window simplified – additional authorization options are available with a click on the Advanced button.
• Speed and performance on slower networks for Windows 8 and higher.
• A remote session starts faster, especially for Internet-ID connections.
• Host logs are now more detailed.
• Integrating of Agent with Windows firewall.
• “Scanning for Hosts” tool dialog
• RU Server configuration window (settings) can now be launched from within Administrator Console
• A bug that caused the files to be irreversibly deleted when the move operation in File Transfer was cancelled or interrupted.
• A bug that caused glitches when multiple monitors in the Full Control were viewed with Economode enabled in the connection properties.
• Host settings are now stored in the SOFTWARE registry key instead of the SYSTEM key. The settings are no longer reset/deleted during Windows 10 upgrades.
• Minor fixes and improvements.
• “Sticking” Alt, Ctrl or Shift key when switching from Full Control window to another window while keeping the key pressed
• Idle or active hosts in the RU Server Administrator Console not showing
• Minor fixes and improvements.

Remote Utilities

Released on July 2,

• Minor fixes and improvements

Remote Utilities

Released on June 18,

• Q+Alt+Tab switches windows on the local desktop when used in the Full Control Window.
• Alt+F12 Toggles between Full Control and View Only modes when hit in the Full Control/View Only mode window.
• Balloon hint/tooltip of the Host now shows the computer name of the administrator/technician who connected to the remote PC.
• The entire Host icon menu can now be hidden in the Host settings.
• Hiding Host’s tray icon is no longer possible.
• Encrypted block of text not being sent via e-mail by a configured Agent package when using “Automatically generate Host password” in the MSI Configurator.

Remote Utilities

Released on June 2,

• Minor fixes and improvements

Remote Utilities

Released on May 12,

• You no longer need to launch the Viewer with administrator rights in order to be able to use video chat or session video recording
• Host and Agent crashing/hanging when changing Windows color scheme
• Viewer now remembers its windows position when they are minimized and then restored
• Minor fixes and improvements

Remote Utilities

Released on May 8,

• Updated Viewer interface
• Custom field for the “Send ID via e-mail” option
• “Ask user to identify themselves” configuration option now works for all package types (standard, one-click and agent)
• “Restart Host” item in the Host menu
• Ability to generate ID on the remote Host without sending an e-mail
• An option to hide Active Directory tree in the Viewer
• Minor issues with the One-click configuration option
• Internet ID being incorrectly added to the “Direct connection” field in connection properties

Remote Utilities

Released on March 26,

• A toolbar button for minimizing the Full Control window when in fullscreen mode.
• RU Server administration console has been added to the Viewer as a built-in tool.
• The checkboxes on the Modes tab in Host security settings were inverted. Now if a checkbox is checked, it means that the corresponding mode is allowed.
• Sync issues between Viewer x.x. and Viewer x.x that caused the address book to disappear. Now if the sync server has a newer version of the address book than the Viewer version, the sync will not work until the Viewer is updated.
• Some issues with file access rights when using File Transfer mode.
• An issue with the Full Control window freezing with enabled capture sound mode in some operating systems.
• Arrow keys not working in a non-tabbed Full Control window.
• Mini-chat panel in the Full Control window losing focus.

Remote Utilities

Released on March 2,

• Simplified registration system. Now you only need to register the Viewer instead of registering each and every Host as before
• Simple 9-digit format for Internet IDs
• Auto-logon now works for Internet ID connections via RU Server
• Blank remote screen option now works with capture alpha-blending windows option
• Access denied error when re-connecting to the same remote PC after reboot
• Issues with importing records into a synced address book
• An issue when the user had to make one extra click in an application window to start typing after switching remote desktops in the Full Control window
• Minor fixes and improvements

Remote Utilities

Released on December 17,

• Issue with address book not importing properly using the "Import connections" command.
• Issues when registering version 6 with a free version 5.x license key.

Remote Utilities

Released on December 16,

• Address book sync via Remote Utilities Sever (formerly called "GMS").
• Multiple active address books in the Viewer
• Session video recording
• Take screenshot of the remote screen
• Simple chat in the Full Control/View window
• Automatic daily backups of address books in the Viewer
• Agent connection log is now available in %AppData%\RUT_settings after the Agent is closed
• Mapped network drive support in File Transfer mode
• Windows PE 5 support
• Comments field in address book records
• Sort order field in address book records to enable custom sorting
• Send broadcast message using the "Send message" connection mode
• The "Screen Recorder" connection mode now supports multiple monitors
• Protection against address book sync conflicts. Now if a certain Viewer is offline it cannot change/update records in a synced address book.
• Issues with the Agent not properly working with UAC in some cases
• Problem with empty pages when printing some files using the remote printing feature
• Problem with RDP settings not saving properly
• The USERNAME field in email messages sent by a custom MSI installer now correctly reflects the current user logged into the PC
• Minor fixes and improvements

Remote Utilities

Released on February 12,

• Minor fixes and improvements.

Remote Utilities

Released on January 22,

• Free license for business use for 10 remote PCs.

Remote Utilities

Released on January 14,

• Mobile Viewer for iOS and Android.
• When launched by a user with administrative privileges, the Agent module runs as a service thus making it possible to handle UAC prompts remotely. This was previously available with the Host only.
• Desktop Viewer now launches the native RDP client when the RDP connection mode is used.
• The notification panel can now be moved/dragged around the screen.
• Remote Host version and currently logged in user name are displayed in the address book “Detailed” view in Viewer.
• The columns in the “Detailed” view can now be rearranged.
• The one-click installer no longer opens Remote Utilities website after installation.
• Minor fixes and improvements.

Remote Utilities

Released on August 4,

• Significantly improved and optimized XML parsing mechanism of the address book.
• Updated Viewer interface.
• A bug with cascade authorization when using "Connect through Host" feature.
• A bug that caused the GMS server IP/DNS address to be erased during remote Host upgrade.
• A bug in the File Transfer mode when connecting to older versions of Host.
• Minor fixes and improvements.

Remote Utilities

Released on June 30,

• An error message that appeared when closing the Viewer
• Fixes in the File Transfer mode and other connection modes
• Minor fixes and improvements

Remote Utilities

Released on June 24,

• Auto reconnect during temporary network breakdowns
• New MSI configurator in the wizard form. New step added to the MSI configurator wizard that allows you to control which settings are applied during the remote Host update.
• A panel/window at the bottom-right corner on the Host side with the list of currently connected Viewers. The remote user can close some or all of the connections. This panel is optional and can be enabled/disabled in the Host settings.
• New "Full screen" view mode. When this mode is on, the window frame is removed but no scaling occurs. If the remote monitor resolution is higher than the local monitor resolution, scrolling is enabled. What was previously "Full screen" mode has been renamed "Full Screen Stretch".
• An option to erase/wipe Host settings from the remote PC when uninstalling.
• License Key Storage now shows the number of unused licenses left for each product key.
• View mode toggle icons have been added to the toolbar.
• Windows serial key is now displayed in the Inventory Manager report.
• Dragging the tab away from the Full Control and View window will pop out the tab into its own window (behavior similar to that of the web browser Google Chrome).
• French interface language. Parlez-vous fran?ais?
• Program operation on Windows 8 has been optimized to improve performance.
• Error log now shows not only the error number but also additional information/explanation about the error.
• "Capture sound" option is now included in the Connection Properties so you can enable it permanently for a selected address book entry.
• A bug that caused the Full Control and View window to change its position and dimensions every time the user switched to another remote screen tab. Now if a user maximizes the Full Control and View window it will stay maximized regardless of the new tabs open.
• A bug that caused an RDP over ID connection to close when minimizing the RDP window.
• Cascade authorization (Connect through Host feature) bug that caused erratic cascade connectivity and required manual logon to each intermediary Host.
• A bug that caused the times for the files in File Transfer mode, both local and remote, to be displayed in UTC time, not local time.
• Minor fixes and improvements.

Remote Utilities

Released on January 16,

• The ability to disable remote printer driver installation when configuring an .msi file using MSI Configurator
• Warning if the IP/ID/DNS name field is left blank when adding a new connection.
• Minor fixes and improvements

Remote Utilities

Released on January 7,

• Hebrew interface language
• Polish interface language

Remote Utilities

Released on October 30,

• Remote printing (printing a remote document on a local printer)
• Event/Connection log in the Viewer that helps diagnose connection problems if any
• RDP over ID, a feature that allows you to connect by the RDP protocol using Remote Utilities' ID feature as a tunnel
• "Reboot in Safe Mode with networking" option added to the Power Control connection mode
• Improved Viewer interface and main toolbar
• Fixes in the text chat mode
• Minor fixes and improvements

Remote Utilities

Released on July 26,

• 4-digit password is now available in RUT Host and Agent
• Ability to show a disclaimer to a remote customer was added to Agent customization settings
• Gateway Mediation Server (GMS) updated to version
• Agent (formerly "Quick Connect") module interface revamped
• Fixed issues when configuring different types of a distribution file using MSI Configurator
• Fixed issues with the Multiple users and permissions feature

Remote Utilities

Released on July 13,

• Viewer interface has been completely revamped
• Minor fixes and updates to the Host module

Remote Utilities

Released on June 12,

• New program icons
• "Capture sound" feature
• Full control and view window is now located on the same monitor as the Viewer's main window
• A minor bug when configuring Quick Connect using MSI Configurator
• Minor Text chat bugs
• Minor Callback connection bugs
• Other fixes and improvements

Remote Utilities

Released on April 27,

• Added Active Directory tree browser. Now the RUT-Viewer address book window shows the actual Active Directory tree, and you can connect to any computer right away. You can use the default domain controller for the network where the RUT-Viewer machine is located, or you can specify a different domain controller using a special dialog window.
• Added different users with different permissions for a single RUT-Host. This feature is available for both the security system of Remote Utilities and WinNT security.
• Added an "Ask user permission" option in RUT-Host settings. If this option is set, a message is displayed to the remote user, allowing them to accept or decline a remote connection.
• Added the ability to launch and work when the remote computer is in Windows Safe Mode. The remote PC is available for remote connection after a reboot in Safe Mode.
• Improved RUT-Viewer and RUT-Host installer. Now you do not need to uninstall the program manually before updating. Simply run the new version installer file and follow the installation wizard instructions to update the program.
• Added Windows PE support.
• Improved the Password setting window that appears after the RUT-Host installation has been simplified.
• Removed the outdated video overlay connection mode.
• Removed the manicapital.com library, which caused antivirus software to create a false alarm.
• Minor fixes and improvements.

Remote Utilities

Released on January 27,

• Added IPv6 support.
• Minor fixes.

Remote Utilities

Released on January 15,

• Internet ID technology has been optimized for fast Internet connections. For improvements to be seen update both the Viewer and the Host, as well as the GMS (if the latter is used).
• Improved mouse and keyboard response time.
• Improved proxy-server support.
• Improved MSI-Configurator: now the configurator works if RUT-Host is installed (but is not running) on the PC. This works for all configuration options except Quick Connect.
• Custom-built Quick Connect module now always asks user confirmation before sending connection credentials to the administrator's e-mail.
• One-click installer now works in silent mode. However, our website opens in the web-browser during installation.
• Quick Connect now uses simplified Internet ID codes with the mask xxx-xxx-xxx where x is any figure from 0 to 9.
• Fixed issues with keyboard not working in some cases.
• Fixed 'Blank remote screen' feature issue in Windows 7.
• Minor improvements and fixes.

Remote Utilities

Released on December 12,

• Quick Connect module a stand-alone Host executable that runs without installation and administrative privileges.
• Added the ability to customize QuickConnect with logo and text for branding purposes.
• Added Voice and Video chat connection mode optimized for slow networks.
• Gateway Mediation Server which is a replica of our global Internet ID server, but runs locally and is available for free.
• Tabs to the Full Control and View window, like in a web-browser. This can be disabled in the RUT-Viewer Options.
• Added Remote Settings mode that grants direct access to remote RUT-Host settings via the corresponding item in the RUT-Viewer context menu.
• Added Address Book Manager to allow working with several address books in different places including network locations.
• Added the ability to automatically send the Internet ID and Password to the helpdesk technician via e-mail once the configured QuickConnect module is first run on the remote side.
• Added multiple tabs, Windows 7 like address bar and the ability to transfer files from one remote PC to another in the File Transfer connection mode.
• Added the ability to generate meta-keys for registering RUT-Hosts. This protects the owner of the license from an unauthorized use of their license key. This is especially useful for Helpdesk license owners.
• Added the ability to edit the properties of multiple connections at once.
• Added the ability to show a small blue globe beside the RUT-Host icon when the connection with an Internet ID server is live.
• Added automatic clipboard sync (so far for plain text only).
• Added new error message system with message log and smart non-intrusive error notifications.
• Added support for HTTP and SOCKS proxy servers both on the RUT-Host and RUT-Viewer side.
• Now all installer and executable files are digitally signed with the certificate issued by DigiCert Inc.
• Added support for proxy server NTLM authorization.
• Improved MSI Configurator tool now this tool allows configuring three different output files: Standard MSI file (.msi), One-click installer (.exe) and QuickConnect (.exe).
• Improved Remote Webcam connection mode by making it transmit the image and sound in the real time using the latest audio and video codecs.
• Improved Block Remote Screen window with the ability to show rich text formatting or a web page.
• Improved the thumbnail previews algorithm in the RUT-Viewer main window.
• Improved RUT-Host installer ??“ now the UAC privileges elevation message shows only once.
• Improved and extended Power Control mode (former "Shutdown" mode).
• Improved and extended Execute mode.
• Minor improvements to the Callback Connection feature.
• Fixed the occasional bugs when the Connect through Host feature was used.
• Fixed bugs with the Internet ID, File Manager and multi-monitor features not working properly in some cases.
• Fixed several bugs in the Screen Recorder connection mode.
• Fixed memory leakage which occurred on the RUT-Host side in some cases.
• Some changes to the user interface.
• Multiple improvements and fixes.

Remote Utilities

Released on May 17,

• Added a new licensing option - Home License

Remote Utilities

Released on March 8,

• Internet-ID allows connecting over the Internet to a PC which is located behind a firewall or a NAT device. No network configuration on the remote PC side is necessary.
• a new "Helpdesk" licensing option.
• the ability to select a terminal session out of several terminal sessions being active on the remote PC.
• RUT-Viewer now works on Wine in Linux OS.
• the ability to run RUT-Host as current user.
• Modified RUT-Host settings now there are user settings and system settings.
• invitation system. An administrator or a helpdesk specialist generates a special invitation code that contains an Internet ID, a password and a license key. The code is then applied by the user on the remote PC.
• one-click installer as a single EXE-file which automatically installs the configured RUT without any queries.
• RUT-Viewer ping capability that allows to almost instantly determine which computer is on the network.
• Help to RUT-Host (previously Help was available in RUT-Viewer only).
• the ability to view the callback connection query list in RUT-Viewer.
• the ability to activate all callback connections in one click on RUT-Host.
• a new tab called "Users" in the Task Manger connection mode window.
• tree view of connection properties for the Connect through Host feature.
• the speed of browsing the remote registry.
• integration of the RUT-Host with the Windows 7/Vista/ built-in Firewall.
• issues with NTLM authorization with Windows 7/Vista/
• issues causing instability of RUT-Host when using the Connect through Host feature.
• Minor improvements and fixes.

Remote Utilities

Released on September 9,

• video/sound capture module.
• remote registry connection mode.
• a new hotkey for closing the remote connection window.
• import/export of registry keys in the Remote Registry connection mode.
• Remote Web Camera connection mode. Now the Open OGG is used instead of the proprietary WMV.
• Addressed an issue that could cause incorrect work in Full Control/View mode on server operating systems.
• an issue with entering IP addresses in the RUT-Host settings.
• an issue with entering IP addresses in IP-filter settings.
• Minor improvements and fixes.

Microsoft Internet Explorer 6 (IE6) is the sixth major revision of Internet Explorer, a web browser developed by Microsoft for Windows operating systems. It was released on August 27, , shortly after the completion of Windows XP.

It is the default browser shipped with Windows XP and Windows Server , and was also made available for Windows NT , Windows 98, Windows , and Windows Me. IE6 SP2+ and IE7 were only included (IE6 SP2+) in or available (IE7) for Windows XP SP2+. Windows 95 and earlier are not maintained. Internet Explorer 6 is the last version of Internet Explorer to be supported on Windows NT , Windows 98, Windows , and Windows Me, as its successor, Internet Explorer 7, does not support these operating systems.

Despite dominating market share (attaining a peak of 90% in mid), this version of Internet Explorer has been widely criticized for its security issues and lack of support for modern web standards, making frequent appearances in "worst tech products of all time" lists, with PC World labeling it "the least secure software on the planet."^[2] In , Mozilla finalised Firefox to rival IE6, and it became highly popular and acclaimed for its security, add-ons, speed and other modern features such as tabbed browsing.^[3] Microsoft planned to fix these issues in Internet Explorer 7 by June–August ,^[4][5] but it was delayed until an October release, over 5 years after IE6 debuted.

Because a substantial percentage of the web audience still used the outdated browser (especially in China), campaigns were established in the lates to encourage users to upgrade to newer versions of Internet Explorer or switch to different browsers. Some websites dropped support for IE6 entirely, most notable of which was Google dropping support in some of its services in March ^[6][7] According to Microsoft's manicapital.com website, as of August&#;^[update], % of users in China and less than 1% in other countries were using IE6.^[8]

Internet Explorer 6 was the last version to be called Microsoft Internet Explorer; the software was rebranded as Windows Internet Explorer from Internet Explorer 7 onward.

Overview[edit]

IE6 cannot perform an Acid3 test

When IE6 was released, it included a number of enhancements over its predecessor, Internet Explorer 5. It and its layout engineTrident are required for many programs including Microsoft Encarta. IE6 improved support for Cascading Style Sheets, adding a number of properties that previously had not been implemented and fixing bugs such as the Internet Explorer box model bug.^[9] In Windows XP, IE6 introduced a redesigned interface based on the operating system's default theme, Luna.

In addition, IE6 added DHTML enhancements, content restricted inline frames, and partial support of DOM level 1 and SMIL ^[10] The MSXML engine was also updated to version Other new features included a new version of the Internet Explorer Administration Kit (IEAK) which introduced IExpress, a utility to create self-extracting INF-based installation packages,^[11] Media bar, Windows Messenger integration, fault collection, automatic image resizing, and P3P. Meanwhile, in , the Gopher protocol was disabled.^[12]

IE6 was the most widely used web browser during its tenure, surpassing Internet Explorer 5.x. At its peak in and , IE6 attained a total market share of nearly 90%, with all versions of IE combined reaching 95%. There was little change in IE's market share for several years until Mozilla Firefox was released and gradually began to gain popularity. Microsoft subsequently resumed development of Internet Explorer and released Internet Explorer 7, further reducing the number of IE6 users.

In a May 7, Microsoft online chat, Brian Countryman, Internet Explorer Program Manager, declared that Internet Explorer would cease to be distributed separately from Windows (IE6 would be the last standalone version);^[13] it would, however, be continued as a part of the evolution of Windows, with updates coming only bundled in Windows upgrades. Thus, Internet Explorer and Windows itself would be kept more in sync. However, after one release in this fashion (IE6 SP2 in Windows XP SP2, in August ), Microsoft changed its plan and released Internet Explorer 7 for Windows XP SP2 and Windows Server SP1 in late Microsoft Internet Explorer 6 was the last version of Internet Explorer to have "Microsoft" in the title: later versions changed branding to "Windows Internet Explorer", as a reaction to the findings of anti-competitive tying of Internet Explorer and Windows raised in United States v. Microsoft and the European Union Microsoft competition case.^{[citation needed]}

On March 4, , Microsoft urged web users to stop using IE6 in favor of newer versions of Internet Explorer.^[14] They launched a website called IE6 Countdown,^[15] which would show how much percentage of the world uses IE6 and aim to get people to upgrade.

Security problems[edit]

The security advisory site Secunia reported 24 unpatched vulnerabilities in Internet Explorer 6 as of February 9, These vulnerabilities, which include several "moderately critical" ratings, amount to 17% of the total security risks listed on the website as of February 11, ^[16]

As of June 23, , Secunia counted 20 unpatched security flaws for Internet Explorer 6, many more and older than for any other browser, even in each individual criticality-level, although some of these flaws only affect Internet Explorer when running on certain versions of Windows or when running in conjunction with certain other applications.^[16]

On June 23, , an attacker used two previously undiscovered security holes in Internet Explorer to insert spam-sending software on an unknown number of end-user computers.^[17] This malware became known as manicapital.com and caused users to infect their computers with a back door and key logger merely by viewing a web page. Infected sites included several financial sites.

Probably the biggest generic security failing of Internet Explorer (and other web browsers too) is the fact that it runs with the same level of access as the logged in user, rather than adopting the principle of least user access. Consequently, any malware executing in the Internet Explorer process via a security vulnerability (e.g. manicapital.com in the example above) has the same level of access as the user, something that has particular relevance when that user is an Administrator. Tools such as DropMyRights^[18] are able to address this issue by restricting the security token of the Internet Explorer process to that of a limited user. However this added level of security is not installed or available by default, and does not offer a simple way to elevate privilegesad hoc when required (for example to access Microsoft Update).

Art Manion, a representative of the United States Computer Emergency Readiness Team (US-CERT) noted in a vulnerability report that the design of Internet Explorer 6 Service Pack 1 made it difficult to secure. He stated that:

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. … IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.^[19]

Manion later clarified that most of these concerns were addressed in with the release of Windows XP Service Pack 2, and other browsers had begun to suffer the same vulnerabilities he identified in the above CERT report.^[20]

In response to a belief that Internet Explorer's frequency of exploitation is due in part to its ubiquity, since its market dominance made it the most obvious target, David Wheeler argues that this is not the full story. He notes that Apache HTTP Server had a much larger market share than Microsoft IIS, yet Apache traditionally had fewer security vulnerabilities at the time.^[21]

As a result of its issues, some security experts, including Bruce Schneier in , recommended that users stop using Internet Explorer for normal browsing, and switch to a different browser instead.^[22] Several notable technology columnists suggested the same idea, including The Wall Street Journal's Walt Mossberg^[23] and eWeek's Steven Vaughan-Nichols.^[24] On July 6, , US-CERT released an exploit report in which the last of seven workarounds was to use a different browser, especially when visiting untrusted sites.^[25]

Market share[edit]

Internet Explorer 6 was the most widely used web browser during its tenure (surpassing Internet Explorer 5.x), attaining a peak percentage in usage share during and in the high 80s^{[contradictory]}, and together with other versions up to 95%.^{[citation needed]} It only slowly declined up to , when it lost about half its market share to Internet Explorer 7 and Mozilla Firefox between late to

IE6 remained more popular than its successor in business use for more than a year after IE7 came out.^[28] A DailyTech article noted, "A Survey found % of companies still use IE 6 as of December ", while "IE 7 only has a percent adoption rate".^[28]

Net Applications estimated IE6 market share at almost 39% for September ^[29] According to the same source, IE7 users migrate faster to IE8 than users of its predecessor IE6 did, leading to IE6 once again becoming the most widely used browser during the summer and fall of , eight years after its introduction.^[30]

As of February , estimates of IE6's global market share ranged from %.^[31][32][33] Nonetheless, IE6 continued to maintain a plurality or even majority presence in the browser market of certain countries, notably China^[34] and South Korea.^[35][36]

Google Apps and YouTube dropped support for IE6 in March ,^[37][38] followed by Facebook chat in September.^[39]

On January 3, , Microsoft announced that usage of IE6 in the United States had dropped below 1%.^[40]

In August , IE6 was still the most popular IE web browser in China. It was also the second most used browser overall with a total market share of %, just behind the Chinese-made Secure Browser at %.^[41]

In July , Net Applications reported the global market share of IE6 amongst all Internet Explorer browsers to be %.^[42]

As of August , IE6 was being used by <1% users in most countries, with the only exception being China (%).^[8][43] Usage in China fell below 1% by the end of the year.^[44]

Criticism[edit]

A common criticism of Internet Explorer is the speed at which fixes are released after the discovery of security problems.

Microsoft attributes the perceived delays to rigorous testing. A posting to the Internet Explorer team blog on August 17, explained that there are, at minimum, distinct releases of Internet Explorer that Microsoft supports (covering more than two dozen languages, and several different revisions of the operating system and browser level for each language), and that every combination is tested before a patch is released.^[45]

In May , PC World rated Internet Explorer 6 the eighth worst tech product of all time.^[2] A certain degree of complacency has been alleged against Microsoft over IE6. With near 90% of the browser market the motive for innovation was not strongly present, resulting in the 5 year time between IE6's introduction and its replacement with IE7. This was a contributing factor for the rapid rise of the free software alternative Mozilla Firefox.

Unlike most other modern browsers, IE6 does not fully nor properly support CSS version 2, which made it difficult for web developers to ensure compatibility with the browser without degrading the experience for users of more advanced browsers. Developers often resorted to strategies such as CSS hacks, conditional comments, or other forms of browser sniffing to make their websites work in IE6.

Additionally, IE6 lacks support for alpha transparency in PNG images, replacing transparent pixels with a solid colour background (grey unless defined in a PNG bKGD chunk). There is a workaround by way of Microsoft's proprietary AlphaImageLoader, but it is more complicated and not wholly comparable in function.^[46]

Internet Explorer 6 has also been criticized due to its instability. For example, the following code on a website would cause a program crash in IE6:^{[citation needed]}

or

The user could crash the browser with a single line of code in the address bar, causing a pointer overflow.^[47][48]

Nvidia's website displaying a message encouraging Internet Explorer 6 users to upgrade to a newer browser.

Several campaigns were later aimed at ridding Internet Explorer 6 from the browser market:

• In July , 37signals announced it would phase out support for IE6 beginning in October ^[49]
• In February , some Norwegian sites began hosting campaigns with the same aim.^[50]
• In March , a Danish anti-IE6 campaign was launched.^[51]
• In January , the German Government, and subsequently the French Government each advised their citizens to move away from IE6.^[52]
• Also in January , Google announced it would no longer support IE6.^[53]
• In February , British citizens began to petition their government to stop using IE6,^[54] though this was rejected in July ^[55]
• In March , in agreement with the EU, Microsoft began prompting users of Internet Explorer 6 in the EU with a ballot screen in which they are presented with a list of browsers in random order to select and upgrade to. The website is located at manicapital.com^[56][57]
• In May , Microsoft's Australian division launched a campaign which compared IE6 to 9-year-old milk and urged users to upgrade to IE8.^[58][59][60]

With the increasing lack of compatibility with modern web standards, popular websites began removing support for IE6 in , including YouTube^[6] and their parent company Google;^[7] however large IT company support teams and other employers forcing staff to use IE6 for compatibility reasons slowed upgrades.^[61] Microsoft themselves eventually began their own campaign to encourage users to stop using IE6,^[62] though stating that they would support IE6 until Windows XP SP3 (including embedded versions) support is removed.^[63] However, on January 12, when the new Microsoft Lifecycle Support policy for Internet Explorer went into effect, IE6 support on all Windows versions ended, more than 14 years after its original release,^[64] making the January security update for multiple versions of XP Embedded the last that Microsoft publicly issued for IE6.^[65]

Security framework[edit]

Internet Explorer uses a zone-based security framework, which means that sites are grouped based upon certain conditions. IE allows the restriction of broad areas of functionality, and also allows specific functions to be restricted. The administration of Internet Explorer is accomplished through the Internet Properties control panel. This utility also administers the Internet Explorer framework as it is implemented by other applications.

Patches and updates to the browser are released periodically and made available through Windows Update web site. Windows XP Service Pack 2 adds several important security features to Internet Explorer, including a popup blocker and additional security for ActiveX controls. ActiveX support remains in Internet Explorer although access to the "Local Machine Zone" is denied by default since Service Pack 2. However, once an ActiveX control runs and is authorized by the user, it can gain all the privileges of the user, instead of being granted limited privileges as Java or JavaScript do. This was later solved in the Windows Vista version of IE 7, which supported running the browser in a low-permission mode, making malware unable to run unless expressly granted permission by the user.

Quirks mode[edit]

Internet Explorer 6 dropped Compatibility Mode, which allowed Internet Explorer 4^[66] to be run side by side with 5.x.^[67][68] Instead, IE6 introduced quirks mode, which causes it to emulate many behaviors of IE ^[69] Rather than being activated by the user, quirks mode is automatically and silently activated when viewing web pages that contain an old, invalid or no DOCTYPE. This feature was later added to all other major browsers to maximize compatibility with old or poorly-coded web pages.^[70]

Supported platforms[edit]

Internet Explorer supports Windows NT (Service Pack 6a only), Windows 98, Windows Me, Windows , Windows XP and Windows Server The Service Pack 1 update supports all of these versions, but Security Version 1^[1] is only available as part of Windows XP Service Pack 2 and Windows Server Service Pack 1 and later service packs for those versions. Versions after Windows XP include Internet Explorer 7 and higher only.

Release history[edit]

System requirements[edit]

IE6 requires at least:^[71]

See also[edit]

References[edit]