There have been many a time when I was in the middle of doing work for a client and all of a sudden Windows 10 on my computer starts the software patch/update process. Not only that, but it seems like that the whole process of updating takes forever…almost 90 minutes at one time. But, that is something that will probably never change, so I guess I have to get used to that.
Since Windows has been and always seems to get hit with Security issues, I have always wondered how Microsoft exactly classifies all of this and determines what exactly is a priority and thus needs immediate patching. Well today, I got my answer.
Today, Microsoft released two documents as to its entire classification scheme, and determines the order of how the bugs and vulnerabilities need to be fixed. It has taken the company well over a year to compile all of this stuff, which was done by the Microsoft Security Response Center (MSRC). These documents actually came out in June to the IT community for any edits, comments, and revisions to be made.
But today, the documents now stand as approved and official. The first document is entitled “Microsoft Security Servicing Criteria for Windows”. It can be accessed at this link:
This document outlines in detail on the types of Windows features that are usually serviced via urgent Patch Tuesday security updates (yes, those annoying downloads). It also details the remaining bugs that are to be fixed, and these kinds of patches are usually rolled out twice a year (since this is a pretty small frequency, I guess that Microsoft must deem as not critical).
This document splits the more Windows features into three distinct categories, which are as follows:
These are the bugs that Microsoft considers as clear violations of data access policies. An example of this would be an end user somehow obtaining admin rights and privileges when they are not supposed to the kernel mode. In this regard, there are nine types of Security Boundaries:
- The network;
- The Kernel;
- The Process;
- The AppContainer sandbox;
- The User;
- The Session;
- The Web Browser;
- The Virtual Machine;
- The Virtual Secure Mode boundary.
These are the specific bug reports and the other Windows OS features that are build to reinforce the above mentioned Security Boundaries. These reports include the likes of BitLocker, Windows Defender, and Secure Boot. It should be noted that the first two Security Boundaries are deemed to be the most critical, and Microsoft will always make it a top priority to get them in on the weekly Tuesday patch list if there are any bug reports that are associated with them.
*Defense In Depth:
These are merely Security features that Microsoft considers as just “extra”, and not too critical. Examples of these features include the following:
- The User Account Control (UAC);
- The AppLocker;
- The Address Space Layout Randomization (ASLR);
- The Control Flow Guard (CFG).
The second document describes in detail as to how the bugs are exactly classified. It can be accessed at this link:
The breakdown is in four distinct categories:
For example, any bug violates any access rules will be clearly marked as “Critical.” A Denial of Service big will be classified as “Low”.
Well, there you have it. Now you know how Microsoft classifies Security bugs and vulnerabilities, and the details that go behind them. For the longest time, the company has been criticized for not being forthcoming and transparent about how it goes about determining what gets patched first.
Microsoft also considers these two documents to be “living”, in the sense that it will always solicit feedback from the Cyber security community, and update them in real time as deemed to be necessary. Of course, it will probably grow over time, and it is quite conceivable as well that there could even be more Security related documents than these two just released.
I am really glad that the company has finally revealed some its “secrets”, but in my opinion, don’t expect too much more from them. After all, the Windows OS is a Closed Source Platform, and Microsoft does not want to give away too much more detail.