Microsoft has published a new draft document clarifying which security bugs will get a rapid fix and which it will let stew for a later release.
The document outlines the criteria the Microsoft Security Response Center uses to decide whether a reported vulnerability gets fixed swiftly, usually in a Patch Tuesday security update, or left for a later version update.
Microsoft said in a blogpost the document is intended to offer researchers “better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them.”
The criteria revolve around two key questions: “Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?”; and, “Does the severity of the vulnerability meet the bar for servicing?”
If the answer to both questions is ‘yes’, the bug will be patched in a security update, but if the answer to both is ‘no’, the vulnerability will be considered for the next version or release of the affected product or feature.
That bar for servicing is defined by Microsoft’s severity rating system, which aims to help customers understand the risk of each vulnerability it patches. These are Critical, Important, Moderate, Low, and None.
“If a vulnerability is rated as Critical or Important, and the vulnerability applies to a security boundary or security feature that has a servicing commitment, then the vulnerability will be addressed through a security update,” the draft states.
Microsoft lists eight types of security boundary for which it maintains a servicing commitment, such as the logical separation between kernel mode and user mode.
These cover the network, kernel, process, AppContainer sandbox, session, web browser, virtual machine, and Virtual Secure Mode.
Security features with a servicing commitment include BitLocker and Secure Boot, Windows Defender System Guard, Windows Defender Application Control, Windows Hello, Windows Resource Access Control, platform cryptography, Host Guardian Service, and authentication protocols.
All the listed security boundaries and security features are included in Microsoft’s bug bounty program.
However, Microsoft’s servicing commitments do not apply to a number of defense-in-depth or Windows 10 OS hardening features, such as Control Flow Guard, Code Integrity Guard, and Arbitrary Code Guard.
While valid bypasses for these are eligible for up to $100,000 payouts under Microsoft’s Mitigation Bypass and Bounty for Defense program, Microsoft won’t guarantee a fix in a Patch Tuesday release.
Other features excluded from servicing commitments include its Controlled Folder Access ransomware protection, and, surprisingly, Microsoft’s antivirus, Windows Defender.
Microsoft Windows 10 exploit mitigations have attracted a lot of attention from researchers at Google Project Zero, who’ve on several occasions disclosed bypasses before Microsoft could patch them. Microsoft has sometimes asked Project Zero to delay disclosure until the company released a version update.
This may be one reason why Microsoft says the document is also intended to “ensure we are transparent with our customers in our approach”.