Security

Microsoft reveals which Windows bugs it might decide not to fix

Draft document explains where Redmond thinks its responsibility ends

By Simon Sharwood

56 SHARE

Microsoft’s published a draft “Security Servicing Commitments for Windows” in which it explains the bugs it will and won’t fix.

The document (PDF) was revealed on June 12th and is intended for security researchers, to offer “better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them.”

“We are primarily interested in feedback around our servicing policies and whether our criteria makes sense to you, the researcher,” says Microsoft’s announcement of the draft.

Microsoft explains that it asks two questions when it learns of a bug:

  1. Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?
  2. Does the severity of the vulnerability meet the bar for servicing?

“If the answer to both questions is yes, then the vulnerability will be addressed through a security update that applies to all affected and supported offerings,” the document explains, and Microsoft will deliver that update ASAP. “If the answer to either question is no, then by default the vulnerability will be considered for the next version or release of an offering but will not be addressed through a security update, though in some cases an exception may be made.”

The document also explains that it rates bugs on a five-step scale - Critical, Important, Moderate, Low, and None – and that Microsoft only fixes Critical and Important flaws.

It also reveals that there are some issues for which Microsoft will pay out a bug bounty, but doesn’t feel it needs to issue a rapid fix. One such category of flaws is a Data Execution Prevention mess in which “An attacker cannot execute code from non-executable memory such as heaps and stacks”.

The Register sometimes hears from security researchers who feel that Microsoft has not responded to bug reports with appropriate haste. This document and its eventual finalised successor should help to explain such incidents to researchers. It’s also of interest to end-users because by explaining bugs that Microsoft won’t rush to fix it offers some more detail about the risks that come with running Windows. ®

Sign up to our NewsletterGet IT in your inbox daily

56 Comments

More from The Register

From July, you better be Putin these Kremlin-approved apps on gadgets sold in Russia

New law calls for pre-in-Stalin nationally mandated code

While we were raging about Putin's meddling and Kremlin hackers, Five Eyes were pwning Yandex, Russia's Google

... Are ... are we the baddies?

Hey Cortana... I mean Google: Microsoft's ex-digital assistant boss to take the reins at G Suite

Javier Soltero looks forward to making a 'profound impact' on people's lives

Senior GitLab exec resigns over plan to stop hiring engineers in China and Russia

Code hosting company considers risk of pressure to betray customer data too great

Amazon Web Services joins Google in paying lip service to Microsoft's .NET platform

With the hope of running more enterprise applications

OK Google, why was your web traffic hijacked and routed through China, Russia today?

Updated BGP hijacking committed 'grand theft internet'

No dice, comrade! Senate floats Russia-busting election law

Proposed bill would bring immediate sanctions for tampering with democracy

Google, AWS IPs blocked by Russia in Telegram crackdown

Two million addresses down, 4.2 billion to go - oh, plus the IPv6 address space

China and Russia join to battle 'illegal internet content,' which means what you fear it does

Authoritarian regimes continue wrestling internet back into box

Shhh! Microsoft, Intel, Google and more sign up to the Confidential Computing Consortium

You can make your own joke about foxes and hen houses...

Whitepapers

Guide to Antivirus (AV) Replacement

This guide provides in-depth information from leading security experts that will guide you through each phase of your decision-making process.

Embracing HPC and AI change

HPC and AI represent highly disruptive changes to your IT infrastructure - so where to begin? Find out with Intel’s Jump-Start Your AI Journey With Your Existing HPC infrastructure.

Comprehensive Cloud Data Protection

Organizations are moving to a comprehensive strategy for on-premises and cloud data protection. As more IT teams use cloud for digital transformation, they are also updating data protection strategies.

Evolving Datacenters without Complexity

In this session, we’ll talk about how IT leaders are advancing the capabilities of their datacenters to rise to today’s challenges. Our guest speaker, Chris Bradford, Product Manager at DataStax will bring first-hand expertise to a discussion with The Register host Elena Perez.