Microsoft has revealed their plans for patching exploits and how they are being handled by their security team. The details are outlined in a draft that reveals how the Microsoft Security Response Center will react according to the different severity levels.
Patch Release Policy Revealed in Microsoft Draft Document
Microsoft posted a document giving details on how their development team will react according to the severity of the security issues. The clarification that has been done by the company is due to the widespread confusion about Microsoft’s reactions against a wide variety of threats. There are two questions that need to be faced with a positive answer in order for the security team to react accordingly:
- Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?
- Does the severity of the vulnerability meet the bar for servicing?
The developers note that Microsoft has placed certain security boundaries that outline the Microsoft Windows service commitments: Network boundary, kernel boundary, process boundary, AppContainer sandbox boundary, session boundary, web browser boundary, virtual machine boundary and the virtual secure mode boundary. The document reads that the purpose of these boundaries is to present a logical separation between the code and the data of domains with variable levels of trust.
The next group of features that are being monitored for any issues are the integrated security mechanisms that are part of the operating system. By design they are not expected to have vulnerable components. The list of all essential services includes the following entries:BitLocker, Secure Boot, Windows Defender System Guard (WDSG), Windows Defender Application Control (WDAC), Windows Hello (Biometrics), Windows Resource Access Control, Platform Cryptography, Host Guardian Service (HGS) and the associated Authentication protocols.
Microsoft is specifying five severity ratings which determines how fast the security issue is to be addressed. Each rating includes a detailed description of what items it may include. The list is the following:
- Critical — Includes the Remote Code Execution exploits which allows hacker to execute code without any user interaction.
- Important — Elevation of Privilege, Information Disclosure, Remote Code execution with user interaction, Denial of Service (DOS) and Security Feature Bypass.
- Moderate — Denial of Service (DOS), Information Disclosure & etc.
- Low — To be announced.
- None — To be announced.
The draft document is still being developed and updated. We expect to see its full version soon which would be of considerable help for the whole security community. Users can access the draft here.