Microsoft details for the first time how it classifies Windows security bugs | Industry
Breaking Tech Industry news from the top sources
The documents were put together over the course of the year by the Microsoft Security Response Center (MSRC), the department that receives and handles security-related bug reports at Microsoft.
Drafts of the two documents were released for feedback for the research community and the broader security industry back in June. The final versions, with quite a lot of new information, were published today.
Also: Tesla modifies product policy to accommodate “good-faith” security research
The first of these documents is a web page named “Microsoft Security Servicing Criteria for Windows.” This page contains information on what types of Windows features are usually serviced via urgent Patch Tuesday security updates, and what bugs are left to the main Windows development team to be fixed and rolled out part of the bi-annual Windows OS updates.
The document splits everything into three categories: security boundaries, security features, and defense-in-depth security features.
Security boundaries is what Microsoft considers clear violations of data access policies. For example, a bug report that describes how a non-admin user mode process that gains access to kernel mode and data will always be considered a “security boundary” violation, in this case of the “kernel boundary.” Microsoft lists nine security boundaries — network, kernel, process, AppContainer sandbox, user, session, web browser, virtual machine, and the Virtual Secure Mode boundary.
Security features are bug reports in apps and other OS features build to reinforce these security boundaries, such as bug reports in BitLocker, Windows Defender, Secure Boot, and others.
Bug reports for the first two are almost all the time considered security vulnerabilities that the Microsoft team will try and fix via immediate patches included in the monthly Patch Tuesday security updates.
Also: Researcher finds new malware persistence method leveraging Microsoft UWP apps
The latter category –defense-in-depth security features– are security features that Microsoft does not consider to be on the same level of robustness as the first two categories, but only features that provide “additional security.”
Defense-in-depth security features include the User Account Control (UAC) feature, AppLocker, Address Space Layout Randomization (ASLR), Control Flow Guard (CFG) , and others.
Bug reports in defense-in-depth features are not usually serviced via Patch Tuesday, but noted down and serviced later down the line, if necessary.
We will not reproduce the entire document in this article, but we recommend going and reading about each category and viewing examples here.
Also: Recent Windows ALPC zero-day has been exploited in the wild for almost a week
The second document Microsoft released today is a PDF file that describes how Microsoft assigns severity rankings to bug reports. The document details what bugs are considered Critical, what Important, what bugs get the Moderate rank, and which are rated Low risk.
For example, a bug that allows unauthorized access to the file system to write data on disk is considered Critical, while a denial of service bug that only restarts an application will always be considered Low risk.
Microsoft has been criticized many times in the past years for not fixing certain vulnerabilities after researchers submitted bug reports.
The purpose of these documents was to clarify things for security researchers, the media, system administrators, and regular users alike. Just like any company, the MSRC has limited resources, and this document takes the infosec community inside the procedures Microsoft staffers use to trial and prioritize security flaws.
“We expect this to be a living document that evolves over time and we look forward to continuing the dialogue with the community on this topic,” Microsoft said today.