Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Software

OSes

Microsoft reveals which Windows bugs it might decide not to fix

Draft document explains where Redmond thinks its responsibility ends

Simon Sharwood Wed 13 Jun 2018  //  07:30 UTC

Microsoft’s published a draft “Security Servicing Commitments for Windows” in which it explains the bugs it will and won’t fix.

The document (PDF) was revealed on June 12th and is intended for security researchers, to offer “better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them.”

“We are primarily interested in feedback around our servicing policies and whether our criteria makes sense to you, the researcher,” says Microsoft’s announcement of the draft.

Microsoft explains that it asks two questions when it learns of a bug:

  1. Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?
  2. Does the severity of the vulnerability meet the bar for servicing?

“If the answer to both questions is yes, then the vulnerability will be addressed through a security update that applies to all affected and supported offerings,” the document explains, and Microsoft will deliver that update ASAP. “If the answer to either question is no, then by default the vulnerability will be considered for the next version or release of an offering but will not be addressed through a security update, though in some cases an exception may be made.”

The document also explains that it rates bugs on a five-step scale - Critical, Important, Moderate, Low, and None – and that Microsoft only fixes Critical and Important flaws.

It also reveals that there are some issues for which Microsoft will pay out a bug bounty, but doesn’t feel it needs to issue a rapid fix. One such category of flaws is a Data Execution Prevention mess in which “An attacker cannot execute code from non-executable memory such as heaps and stacks”.

The Register sometimes hears from security researchers who feel that Microsoft has not responded to bug reports with appropriate haste. This document and its eventual finalised successor should help to explain such incidents to researchers. It’s also of interest to end-users because by explaining bugs that Microsoft won’t rush to fix it offers some more detail about the risks that come with running Windows. ®
Send us news
56 Comments

Microsoft: So what if it costs 4X as much to run Windows Server in AWS, Alibaba, and Google?

That's competition, that's protecting our IP, Redmond's lawyers tell UK monopoly cops

Microsoft trims more CPUs from Windows 11 compatibility list

OEMs blowing dust from the processor stock cupboard, beware

Choose your own Patch Tuesday adventure: Start with six zero-day fixes, or six critical flaws

Microsoft tackles 50-plus security blunders, Adobe splats 3D bugs, and Apple deals with a doozy

Microsoft adds another Copilot hotkey – this time for AI voice chat

Hold Alt + Spacebar for two seconds, and Clippy 2.0 is all ears

How NOT to f-up your security incident response

Experts say that the way you handle things after the criminals break in can make things better or much, much worse

That 'angry guest' email from Booking.com? It's a scam, not a 1-star review

Phishers check in, your credentials check out, Microsoft warns

Apple has locked me in the same monopolistic cage Microsoft's built for Windows 10 users

Vendors just don't want machines to live double lives

Microsoft signed a dodgy driver and now ransomware scum are exploiting it

Five flaws found in Paragon Partition Manager's kernel-level .sys

China's Silk Typhoon, tied to US Treasury break-in, now hammers IT and govt targets

They're good at zero-day exploits, too

Microsoft names alleged credential-snatching 'Azure Abuse Enterprise' operators

Crew helped lowlifes generate X-rated celeb deepfakes using Redmond's OpenAI-powered cloud – claim

Microsoft will kill Remote Desktop soon, insists you'll love replacement

Windows App the way ahead as support pulled from May 27

Microsoft quantum breakthrough claims labeled 'unreliable' and 'essentially fraudulent'

Redmond insists it's got this right and has even more impressive results to share soon