Security

Microsoft reveals which Windows bugs it might decide not to fix

Draft document explains where Redmond thinks its responsibility ends

56 Got Tips?

Microsoft’s published a draft “Security Servicing Commitments for Windows” in which it explains the bugs it will and won’t fix.

The document (PDF) was revealed on June 12th and is intended for security researchers, to offer “better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them.”

“We are primarily interested in feedback around our servicing policies and whether our criteria makes sense to you, the researcher,” says Microsoft’s announcement of the draft.

Microsoft explains that it asks two questions when it learns of a bug:

  1. Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?
  2. Does the severity of the vulnerability meet the bar for servicing?

“If the answer to both questions is yes, then the vulnerability will be addressed through a security update that applies to all affected and supported offerings,” the document explains, and Microsoft will deliver that update ASAP. “If the answer to either question is no, then by default the vulnerability will be considered for the next version or release of an offering but will not be addressed through a security update, though in some cases an exception may be made.”

The document also explains that it rates bugs on a five-step scale - Critical, Important, Moderate, Low, and None – and that Microsoft only fixes Critical and Important flaws.

It also reveals that there are some issues for which Microsoft will pay out a bug bounty, but doesn’t feel it needs to issue a rapid fix. One such category of flaws is a Data Execution Prevention mess in which “An attacker cannot execute code from non-executable memory such as heaps and stacks”.

The Register sometimes hears from security researchers who feel that Microsoft has not responded to bug reports with appropriate haste. This document and its eventual finalised successor should help to explain such incidents to researchers. It’s also of interest to end-users because by explaining bugs that Microsoft won’t rush to fix it offers some more detail about the risks that come with running Windows. ®

Sign up to our NewsletterGet IT in your inbox daily

56 Comments

Keep Reading

Russia-linked Gamaredon hacker crew using Microsoft's Visual Basic for Applications to pwn Microsoft's Outlook

From targeting Ukraine to random mailboxes: how the mighty have fallen

Russia lifts restrictions on Telegram messenger app after it expresses ‘readiness’ to stop some nasties

A win for Vlad the Decryptor

Cybercrooks tend to prefer Google-branded phishing to Microsoft-flavoured lures

So says Barracuda Networks, anyway

Samsung will be Putin dreaded Kremlin-approved shovelware on its phones, claims Russia

Now Ru?

QUIC, dig in: Microsoft open-sources MsQuic, its implementation of Google-spawned TCP-killer QUIC

The sequel to Pac-Man was Ms. Pac-Man. And Microsoft’s QUIC library is called MsQuic

Tutanota cries 'censorship!' after secure email biz blocked – for real this time – in Russia

Move over, there's plenty of room on Putin's naughty step

Russia returns to space tourism and offers a first citizen spacewalk

As Japan's virtual space tourism rig is readied for bolt-on to ISS

You can't hold black horse down: Brit bank Lloyds goes full multi-cloud, signs up with Google as well as Microsoft

Spirited equine gambols from vendor to vendor

Assange lawyer: Trump offered WikiLeaker a pardon in exchange for denying Russia hacked Democrats' email

America wanted a cover-up of Kremlin ties to DNC intrusion, court told

While we were raging about Putin's meddling and Kremlin hackers, Five Eyes were pwning Yandex, Russia's Google

... Are ... are we the baddies?

Tech Resources

The Definitive Guide to Sharing Threat Intelligence

Sharing threat intelligence is gradually becoming an accepted component in information security defense but there are still ways we can gain more.

Latency is the New Outage

More organizations are tying their future success to digital and online business.

CrowdStrike Falcon Complete

Guidance for taking any organization to the highest level of endpoint protection regardless of internal resources.

Dark Reading Report: The State of IT Operations & Cybersecurity Operations

Your enterprise’s cyber risk may depend upon the relationship between the IT team and the security team.