Microsoft has released a draft document outlining which security vulnerabilities in Windows or other products will be updated immediately and which may be left for later.
Το έγγραφο αναφέρει τα κριτήρια που χρησιμοποιεί το Κέντρο αντιμετώπισης προβλημάτων της Microsoft για να αποφασίσει αν κάποια αναφερθείσα ευπάθεια θα επιδιορθωθεί άμεσα, συνήθως σε μια ενημερωμένη έκδοση ασφαλείας του επόμενου Patch Tuesday, or will be released with another month's updates.
Microsoft reports in a post on her blog that the document aims to provide researchers with "more clarity on security features, limits and fixes in Windows, and service commitments."
The company's stated criteria for assessing the severity of vulnerabilities are summarized in two key questions:
1. Does the vulnerability break the promise of a security threshold or security feature that Microsoft is committed to defending? and
2. Does the severity of the vulnerability meet the company's line of service?
If the answer to both of the above questions is "yes", the error will be fixed in the next security update, but if the answer to both questions is "no", the vulnerability will be recorded for a subsequent update or a later version of the affected product , feature or service.
The promptness of the service used by the company seems to be determined by Microsoft's severity rating system, to help developers understand the risk of any vulnerabilities. So we have vulnerabilities that are critical, important, moderate, low and not at all.
"If a vulnerability is determined to be critical or important and involves a security boundary or security feature that we have an obligation to service, then it will be addressed through a security update," the document states.
Microsoft lists below the eight types of security limits for which it has a service commitment. For example the company distinguishes vulnerabilities between kernel operation and user functions.
The security features that the company is committed to serving immediately are: BitLocker και Secure Boot, Windows Defender System Guard, Windows Defender Application Control, windows hello, Windows Resource Access Control, platform κρυπτογράφησης, Host Guardian ServiceAnd authentication protocols.
All registered security limits and security features supported by the company are included in the program Bug Bounty of Microsoft.
However, Microsoft service commitments do not apply to certain defense features, such as Control Flow Guard, Code Integrity Guard, and Arbitrary Code Guard. Other features that are excluded from the service commitments include protection from ransomware, and Microsoft antivirus, Windows Defender.
You can read the document for more information (PDF).
_______________________
- Window 10 S Mode at the touch of a button in Settings
- Window 10 Redstone 5 hit down the middle in third-party antivirus
- Google Chrome removes the security indicator from HTTPS pages