Microsoft Reveals Which Bugs It Won’t Patch

A draft document lays out its criteria for addressing various flaws and notes the exceptions.

Microsoft has put out initial clarification around which bugs it will rapidly patch, and which ones must wait for a new product release – and which ones it won’t address at all.

In a draft document posted online on Tuesday, the software giant laid out the criteria that the Microsoft Security Response Center (MSRC) uses when deciding what to patch and when.

There are two litmus tests that broadly guide these decisions, as the company explained in the document: “Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?”; and secondly, “does the severity of the vulnerability [as determined by Microsoft’s five-tier rating system] meet the bar for servicing?”

The “bar for servicing” in Microsoft parlance means that the flaw is rated Critical (i.e., allowing for remote code execution) or Important (privilege escalation, information disclosure, security bypasses and RCE), according to the document details.

If the answer to both questions is yes, then the prescribed action is to issue a patch, either on Patch Tuesday or, in rare cases, in an out-of-band release; if the answer to either question is no, then the bug is relegated to back-burner status in most cases, with a fix coming in a subsequent release of the product or service.

Exceptions could be possible though; if a flaw has a severity level of Moderate, but applies to a security boundary or security feature that has a servicing commitment, then a patch could conceivably still be issued.

Researchers welcomed the transparency. “The only negative here is that by telling people what you won’t fix, you open yourself to bugs in those areas,” said Brian Gorenc, director of vulnerability research for Trend Micro, in an email interview with Threatpost. “Of course, there’s a reason Microsoft has chosen not to fix those bugs. It’s incredibly unlikely those bugs would be impactful to the end user.”

Security Boundaries and Features

In the draft, Microsoft lists eight security boundaries and nine security features that carry promises for servicing, all of which are part of the company’s bug-bounty program.

As for the boundaries, Microsoft lists AppContainer sandbox, kernel, network, process, session, virtual machine, Virtual Secure Mode and web browser boundaries as qualifying. The company defines a boundary as “a logical separation between the code and data of security domains with different levels of trust,” such as the separation seen between kernel and user mode.

On the security features front, the qualifying items are authentication protocols, BitLocker and Secure Boot, Host Guardian Service, platform cryptography, Windows Defender Application Control, Windows Defender System Guard, Windows Hello and Windows Resource Access Control. Some bypasses are out-of-scope, however, depending on the details of the flaw.

Microsoft added a caveat here for defense-in-depth security features that “may have by-design limitations that prevent them from making a promise,” even though some of those listed in the document are part of the bug-bounty program.

In these instances, Microsoft contends, a bypass “can’t pose a direct risk because an attacker must also have found a vulnerability that affects a security boundary, or they must rely on social engineering to achieve the initial stage of a device compromise.” Gorenc pointed out the example of User Account Control (UAC).

“The user experience makes it feel like a security boundary, but from a technical perspective it really isn’t and therefore won’t get serviced as a security bug,” he told Threatpost.

Researchers Weigh In

The document is just a draft for now – Microsoft is asking for feedback from the research community before publishing a final version.

“We understand that researchers have wanted better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them,” Microsoft said in a short post online.

The security community has welcomed the development.

“In order to facilitate the discussion, Microsoft is marking their document,” explained Qualys director of product management Jimmy Graham, speaking to Threatpost. “This allows security researchers to provide comments on the current draft and offer recommended suggestions for potential changes. Microsoft is handling this type of conversation in a great way, with complete transparency.”

The prioritization makes sense, according to Brian Contos, CISO at Verodin.

“In a perfect world Microsoft would find a bug and patch a bug and the story is over,” he told Threatpost. “Unfortunately, the reality is that not all bugs are created equal, and some patches require a greater investment in time and resources to mitigate. Also, Microsoft (and any software company) has to concern themselves with not just patching a bug and ensuring the patch works, but they must also make sure the patch does not create new issues with their code or with other software, including software created by other organizations that integrates with their code.”

Suggested articles

Discussion

  • Dave Donaldson on

    I'm an old fart, I know. I began programming in 1972, and began programming and using microprocessors in industrial and consumer products in 1975. And although I never developed OS's on the scale of Windows, I can't for the life of me understand why Microsoft insists on a programming model that doesn't build upon predecessors as foundations but rather discards them and redesigns the whole thing, based on "new innovations" which really aren't. Approaches like that never produce a better product, just more potential for mistakes, oversights and bugs. While the number of lines of code in Windows has increased ten-fold in the past few years, the number of vulnerabilities and flaws has exploded ten times that. I've watched Unix grow in comparison, yet remain rock stable and slight of bugs while retaining much of it's original simplicity of structure, yet meeting the needs of advanced file systems, networking and security. Why oh why does anyone continue to use Windows with probably what amounts to hundreds of thousands of flaws and bugs or more, the vast majority of which will never be fixed, when Unix/BSD/Linux is available? Does anybody realize the horrible costs we've incurred through lost up-time, constant re-training, overpriced and inefficient technical support, updates, upgrades, constant hardware replacements and ridiculous product pricing and licensing schemes? Windows patches and updates poor over the Internet and I read once where excluding streaming, accounts for something like 25% or more of all Internet traffic. What the heck is that? My BSD/Linux machines only need a few libraries updated once a month and 99.99% of those are NOT security patches. Is anybody listening? I've watched Windows blunder it's way to the top using only marketing, FUD and shady if not obscenely heavy handed methods of competitive throat cutting in order to claw it's way to the top. And here, a simple, far less expensive and much more capable OS offers a lot less headaches and pain. Ever compare Linux or BSD to Windows on your favorite machine? There's nearly NO comparison. It's scary fast and rock stable. It's only Microsoft's very effective blocking of developer's porting their products to Linux that keeps Windows on top. This is like convincing ourselves that sugar is good for us. It may satisfy, but it's poison. The Emperor has no clothes!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.