Windows: why we do not fix a few bugs directly

Microsoft has published a draft document that clarifies which Windows or other security vulnerabilities of her will receive immediate information and which can be left for later.

The document outlines the criteria used by the Microsoft Troubleshooting Center to decide whether a reported vulnerability will be fixed immediately, usually in a security update for next Patch Tuesday, or released with another month's updates.Windows

Microsoft reports in a post on her blog that the paper aims to provide researchers with “more clarity about security, limits and fixes in Windows as well as service commitments ”.

The criteria mentioned by to assess the severity of vulnerabilities are summarized in two basic questions:

1. Does the vulnerability break the promise of a security threshold or security feature that Microsoft is committed to defending? and
2. Does the severity of the vulnerability meet the company's line of service?

If the answer to both of the above questions is "yes", the error will be fixed in the next security update, but if the answer to both questions is "no", the vulnerability will be recorded for a subsequent update or a later version of the affected product , feature or service.

The promptness of the service used by the company seems to be determined by Microsoft's severity rating system, to help developers understand the risk of any vulnerabilities. So we have vulnerabilities that are critical, important, moderate, low and not at all.

"If a vulnerability is determined to be critical or important and involves a security boundary or security feature that we have an obligation to service, then it will be addressed through a security update," the document states.

Microsoft below lists eight types of security boundaries for which it has a service commitment. For example the company separates the vulnerabilities between them of the kernel and user functions.

The security features that the company is committed to serving immediately are: BitLocker and Secure Boot, Windows Defender System Guard, Windows Defender Application Control, Windows Hello, Windows Resource Access Control, encryption platform, Host Guardian Service, and authentication protocols.

All registered security limits and security features supported by the company are included in the program Bug Bounty of Microsoft.

However, Microsoft service commitments do not apply to certain defense features, such as Control Flow Guard, Code Integrity Guard, and Arbitrary Code Guard. Other features excluded from service commitments include ransomware protection, and Microsoft antivirus, Windows Defender.

You can read the document for more (PDF).

_______________________

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).