Microsoft explains how it decides whether a vulnerability will be patched swiftly or left for a version update.


Microsoft has published a new draft document clarifying which security bugs will get a rapid fix and which it will let stew for a later release.

The document outlines the criteria the Microsoft Security Response Center uses to decide whether a reported vulnerability gets fixed swiftly, usually in a Patch Tuesday security update, or left for a later version update.

Microsoft said in a blogpost the document is intended to offer researchers “better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them.”

The criteria revolve around two key questions: “Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?”; and, “Does the severity of the vulnerability meet the bar for servicing?”

If the answer to both questions is ‘yes’, the bug will be patched in a security update, but if the answer to both is ‘no’, the vulnerability will be considered for the next version or release of the affected product or feature.


SEE: Windows 10 April 2018 Update: An insider’s guide (free PDF)

That bar for servicing is defined by Microsoft’s severity rating system, which aims to help customers understand the risk of each vulnerability it patches. These are Critical, Important, Moderate, Low, and None.

“If a vulnerability is rated as Critical or Important, and the vulnerability applies to a security boundary or security feature that has a servicing commitment, then the vulnerability will be addressed through a security update,” the draft states.

Microsoft lists eight types of security boundary for which it maintains a servicing commitment, such as the logical separation between kernel mode and user mode.

These cover the network, kernel, process, AppContainer sandbox, session, web browser, virtual machine, and Virtual Secure Mode.

Security features with a servicing commitment include BitLocker and Secure Boot, Windows Defender System Guard, Windows Defender Application Control, Windows Hello, Windows Resource Access Control, platform cryptography, Host Guardian Service, and authentication protocols.

All the listed security boundaries and security features are included in Microsoft’s bug bounty program.


SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)

However, Microsoft’s servicing commitments do not apply to a number of defense-in-depth or Windows 10 OS hardening features, such as Control Flow Guard, Code Integrity Guard, and Arbitrary Code Guard.

While valid bypasses for these are eligible for up to $100,000 payouts under Microsoft’s Mitigation Bypass and Bounty for Defense program, Microsoft won’t guarantee a fix in a Patch Tuesday release.

Other features excluded from servicing commitments include its Controlled Folder Access ransomware protection, and, surprisingly, Microsoft’s antivirus, Windows Defender.

Microsoft Windows 10 exploit mitigations have attracted a lot of attention from researchers at Google Project Zero, who’ve on several occasions disclosed bypasses before Microsoftcould patch them. Microsoft has sometimes asked Project Zero to delay disclosure until the company released a version update.

This may be one reason why Microsoft says the document is also intended to “ensure we are transparent with our customers in our approach”.

Original Source: Liam Tung /June 14, 2018

About author

Gloria McCutchen
Gloria McCutchen
Chairman & CEO of G2M.US since 1999. I have worked with computers for more than 20 years and have 10 years of experience as a teacher in this area. I have a Bachelor Degree in Computer Engineering and I have a Master’s Degree in Cyber Security. I'm a Digital Marketing Specialist. I have Postgraduate in Pedagogical Education
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *