Jeremy Herold

How Microsoft Decides Security Patch Implementation

No Comments

Microsoft is clarifying their vulnerability patching procedures

Microsoft explains how it decides whether a vulnerability will be patched swiftly or left for a version update.

Microsoft published a new draft document that explains how they decide whether a security vulnerability will be patched swiftly or if the vulnerability can wait to be fixed during a version update.

The document is intended to offer researchers “better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them.” It outlines the criteria the Microsoft Security Response Center uses when making a decision on whether the bug needs a swift update or if it will be left for later.

The two key questions that help the Microsoft Security Response Center make that decision are: “Does the vulnerability violate a promise made by a security boundary or a service feature that Microsoft has committed to defending?” and “Does the severity of the vulnerability meet the bar for servicing?”

If the answer to both questions is ‘yes,’ then the bug will be patched during a security update, while if the answer to both is ‘no,’ the vulnerability will be considered for the next version or release of the software.

Of course, servicing is defined by Microsoft’s severity rating system. The rating system aims to help customers understand the risk of each vulnerability that it patches. The risk levels are defined as Critical, Important, Moderate, Low, and None.

The draft states, “If a vulnerability is rated as Critical or Important, and the vulnerability applies to a security boundary or security feature that has a servicing commitment, then the vulnerability will be addressed through a security update.”

Security boundaries that Microsoft maintains a servicing commitment for cover the network, kernel, process, AppContainer sandbox, session, web browser, virtual machine, and Virtual Secure Mode.

BitLocker and Secure Boot, Windows Defender System Guard, Windows Defender Application Control, Windows Hello, Windows Resource Access Control, platform cryptography, Host Guardian Service, and authentication protocols are all security features with a servicing commitment.

All of the listed security boundaries and security features are included in Microsoft’s bug bounty program.

However, Microsoft’s servicing commitments do not apply to some defense-in-depth or Windows 10 OS hardening features such as Control Flow Guard, Code Integrity Guard, and Arbitrary Code Guard. Controlled Folder Access and Windows Defender are also excluded.

You’ll find Microsoft’s complete six page draft here: https://msdnshared.blob.core.windows.net/media/2018/06/Microsoft-Security-Servicing-Commitments_SRD.pdf

As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648

Subscribe to our newsletter!

More from our blog

See all posts
No Comments
Jeremy Herold information