Windows security: Here's why we don't fix some bugs right away, Microsoft reveals

Microsoft explains how it decides whether a vulnerability will be patched swiftly or left for a version update.
Written by Liam Tung, Contributing Writer

Video: Microsoft revealed why some bugs aren't fixed right away

Microsoft has published a new draft document clarifying which security bugs will get a rapid fix and which it will let stew for a later release.

The document outlines the criteria the Microsoft Security Response Center uses to decide whether a reported vulnerability gets fixed swiftly, usually in a Patch Tuesday security update, or left for a later version update.

Microsoft said in a blogpost the document is intended to offer researchers "better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them."

The criteria revolve around two key questions: "Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?"; and, "Does the severity of the vulnerability meet the bar for servicing?"

If the answer to both questions is 'yes', the bug will be patched in a security update, but if the answer to both is 'no', the vulnerability will be considered for the next version or release of the affected product or feature.

SEE: Windows 10 April 2018 Update: An insider's guide (free PDF)

That bar for servicing is defined by Microsoft's severity rating system, which aims to help customers understand the risk of each vulnerability it patches. These are Critical, Important, Moderate, Low, and None.

"If a vulnerability is rated as Critical or Important, and the vulnerability applies to a security boundary or security feature that has a servicing commitment, then the vulnerability will be addressed through a security update," the draft states.

Microsoft lists eight types of security boundary for which it maintains a servicing commitment, such as the logical separation between kernel mode and user mode.

These cover the network, kernel, process, AppContainer sandbox, session, web browser, virtual machine, and Virtual Secure Mode.

Security features with a servicing commitment include BitLocker and Secure Boot, Windows Defender System Guard, Windows Defender Application Control, Windows Hello, Windows Resource Access Control, platform cryptography, Host Guardian Service, and authentication protocols.

All the listed security boundaries and security features are included in Microsoft's bug bounty program.

SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)

However, Microsoft's servicing commitments do not apply to a number of defense-in-depth or Windows 10 OS hardening features, such as Control Flow Guard, Code Integrity Guard, and Arbitrary Code Guard.

While valid bypasses for these are eligible for up to $100,000 payouts under Microsoft's Mitigation Bypass and Bounty for Defense program, Microsoft won't guarantee a fix in a Patch Tuesday release.

Other features excluded from servicing commitments include its Controlled Folder Access ransomware protection, and, surprisingly, Microsoft's antivirus, Windows Defender.

Microsoft Windows 10 exploit mitigations have attracted a lot of attention from researchers at Google Project Zero, who've on several occasions disclosed bypasses before Microsoft could patch them. Microsoft has sometimes asked Project Zero to delay disclosure until the company released a version update.

This may be one reason why Microsoft says the document is also intended to "ensure we are transparent with our customers in our approach".

Previous and related coverage

Windows users attacked via critical Flash zero-day: Patch now, urges Adobe

Adobe issues security update for critical zero-day Flash Player flaw that attackers are exploiting via Excel docs.

Windows 10 April 2018 Update problems: Users struggle with mystery 'black screen'

Is third-party antivirus to blame for the latest Windows 10 update issues?

Microsoft kills its forum support for Office 2013, Surface Pro, Windows 8.1 and more (CNET)

Your forum support for these products is up to your fellow problem-solvers now.

Windows critical flaw: This security bug is under attack right now, says Microsoft

Microsoft patches two flaws that are already under attack, among the 67 bugs in May's Patch Tuesday update.

Windows 10 users should wait to install the latest update-it's bricking some PCs (TechRepublic)

The latest Windows 10 cumulative update is causing some PCs to fail to boot, and the only solution is a system restore.

Microsoft Windows, Apple macOS, Linux, BSD: All hit by same 'serious' security flaw

OS and hypervisor makers patch flaw that attackers could use to crash systems or read data from memory.

Editorial standards