Microsoft details for the first time how it classifies Windows security bugs

The Microsoft Security Response Center publishes two documents detailing internal procedures used by its staff to prioritize and classify security bugs.
Written by Catalin Cimpanu, Contributor

Microsoft opened its doors today to the security research community by releasing two documents that detail how the company classifies and handles security bugs.

The documents were put together over the course of the year by the Microsoft Security Response Center (MSRC), the department that receives and handles security-related bug reports at Microsoft.

Also: Best Home Security Devices for 2018 CNET

Drafts of the two documents were released for feedback for the research community and the broader security industry back in June. The final versions, with quite a lot of new information, were published today.

Also: Tesla modifies product policy to accommodate "good-faith" security research

The first of these documents is a web page named "Microsoft Security Servicing Criteria for Windows." This page contains information on what types of Windows features are usually serviced via urgent Patch Tuesday security updates, and what bugs are left to the main Windows development team to be fixed and rolled out part of the bi-annual Windows OS updates.

The document splits everything into three categories: security boundaries, security features, and defense-in-depth security features.

Security boundaries is what Microsoft considers clear violations of data access policies. For example, a bug report that describes how a non-admin user mode process that gains access to kernel mode and data will always be considered a "security boundary" violation, in this case of the "kernel boundary." Microsoft lists nine security boundaries -- network, kernel, process, AppContainer sandbox, user, session, web browser, virtual machine, and the Virtual Secure Mode boundary.

Also: Why free VPNs are not a risk worth taking

Security features are bug reports in apps and other OS features build to reinforce these security boundaries, such as bug reports in BitLocker, Windows Defender, Secure Boot, and others.

Bug reports for the first two are almost all the time considered security vulnerabilities that the Microsoft team will try and fix via immediate patches included in the monthly Patch Tuesday security updates.

Also: Researcher finds new malware persistence method leveraging Microsoft UWP apps

The latter category --defense-in-depth security features-- are security features that Microsoft does not consider to be on the same level of robustness as the first two categories, but only features that provide "additional security."

Defense-in-depth security features include the User Account Control (UAC) feature, AppLocker, Address Space Layout Randomization (ASLR), Control Flow Guard (CFG) , and others.

Bug reports in defense-in-depth features are not usually serviced via Patch Tuesday, but noted down and serviced later down the line, if necessary.

We will not reproduce the entire document in this article, but we recommend going and reading about each category and viewing examples here.

Also: Recent Windows ALPC zero-day has been exploited in the wild for almost a week

The second document Microsoft released today is a PDF file that describes how Microsoft assigns severity rankings to bug reports. The document details what bugs are considered Critical, what Important, what bugs get the Moderate rank, and which are rated Low risk.

For example, a bug that allows unauthorized access to the file system to write data on disk is considered Critical, while a denial of service bug that only restarts an application will always be considered Low risk.

Also: 7 tips for SMBs to improve data security TechRepublic

Microsoft has been criticized many times in the past years for not fixing certain vulnerabilities after researchers submitted bug reports.

The purpose of these documents was to clarify things for security researchers, the media, system administrators, and regular users alike. Just like any company, the MSRC has limited resources, and this document takes the infosec community inside the procedures Microsoft staffers use to trial and prioritize security flaws.

"We expect this to be a living document that evolves over time and we look forward to continuing the dialogue with the community on this topic," Microsoft said today.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Editorial standards