Microsoft details for the first time how it classifies Windows security bugs



[ad_1]

Microsoft has today opened its doors to the security research community by publishing two documents that detail how the company classifies and manages security bugs.

The documents were collected during the year by the Microsoft Security Response Center (MSRC), the service that receives and processes security-related bug reports from Microsoft.

Preliminary versions of both documents were released in June for researchers and the security industry. The final versions, with a lot of news, have been published today.

In addition: Tesla modifies the product policy to reflect the search for "bona fide" security

The first of these documents is a web page called "Microsoft Security Maintenance Criteria for Windows". This page contains information about the types of Windows features that are typically handled through Patch Tuesday urgent security updates and bugs left to the primary Windows development team to repair and deploy in biannual updates to Windows.

The document divides everything into three categories: security limits, security features, and enhanced security features.

The security limits are what Microsoft regards as clear violations of data access policies. For example, a bug report describing how a non-administrator user mode process that accesses kernel mode and data will still be considered a violation of "security limits", in this case the "kernel boundary". Microsoft lists nine security limits: network, kernel, process, AppContainer sandbox, user, session, web browser, virtual machine, and Virtual Secure Mode limit.

Security features are bug reports in applications and other operating system features designed to reinforce these security limits, such as bug reports in BitLocker, Windows Defender, Secure Boot and others .

The bug reports for the first two are almost always considered security flaws that the Microsoft team will try to fix through immediate fixes included in Patch Tuesday's monthly security updates.

In addition: the researcher discovers a new method of persistence of malware exploiting Microsoft UWP applications

The latter category – deep security features – are security features that Microsoft does not consider to be as robust as the first two categories, but only features that offer "additional security".

Deep defense security features include the User Account Control (UAC) feature, AppLocker, Address Space Layout Randomization (ASLR), Control Flow Guard (CFG), and more.

Bug reports in defense-in-depth functions are generally not served via Patch Tuesday, but they have been noted and processed later, if necessary.

We will not reproduce the entire document in this article, but we recommend that you review each category and see examples here.

In addition: Windows SALW recent zero day has been operating in the wild for almost a week

The second document that Microsoft has released today is a PDF file that describes how Microsoft assigns severity ratings to bug reports. The document details which bugs are considered critical, what are the important points, which bugs get Moderate rank and which bugs are low risk.

For example, a bug that allows unauthorized access to the file system to write data to disk is considered critical, while a denial of service bug that only restarts an application will still be considered as presenting a low risk.

Microsoft has been criticized several times in recent years for failing to fix some vulnerabilities after the researchers submitted bug reports.

The purpose of these documents was to clarify things for security researchers, the media, system administrators and regular users. Like any other company, the MSRC has limited resources and this document takes into account the information community in the procedures used by Microsoft employees to test and prioritize security vulnerabilities.

"We expect this document to evolve over time and we look forward to continuing the dialogue with the community on this topic," Microsoft said today.

[ad_2]
Source link