Microsoft Explains How it Decides Whether a Vulnerability Will Be Patched Swiftly or Left For a Version Update

Microsoft has published a new draft document clarifying which security bugs will get a rapid fix and which it will let stew for a later release. From a report: The document outlines the criteria the Microsoft Security Response Center uses to decide whether a reported vulnerability gets fixed swiftly, usually in a Patch Tuesday security update, or left for a later version update. Microsoft said in a blogpost the document is intended to offer researchers "better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them." The criteria revolve around two key questions: "Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?"; and, "Does the severity of the vulnerability meet the bar for servicing?" If the answer to both questions is 'yes', the bug will be patched in a security update, but if the answer to both is 'no', the vulnerability will be considered for the next version or release of the affected product or feature.

Moar cases

[billybob2001]

If the answer to both questions is 'yes', the bug will be patched in a security update, but if the answer to both is 'no', the vulnerability will be considered for the next version or release of the affected product or feature.

What if it's 1 yes and 1 no?

Re: Moar cases

Then it just gets lost and never fixed?

Re:Moar cases

The microsoft employee rolls his eyeballs back and does a bsod.

Re: Moar cases

those are the ones that go unpatched for 19 years.

Re:Moar cases

[sconeu]

Next release.

Re:Moar cases

Heads or tails?

Re:Moar cases

You need a quantum computer for that

Re:Moar cases

Pretty bad when their security release criteria includes a vulnerability. o_O

Re: Moar cases

Those get patched the second Tuesday of the following week.

When do they decide to fix the actual problem...

rather than just adding workarounds that will later be found to be faulty or incomplete?

"vulnerability will be considered"

Reading between the lines... "We (don't give a fuck) care about our customers security."

Re:"vulnerability will be considered"

Nonsense.

In use

[AHuxley]

by the NSA? FBI? Ongoing investigation?

Re:In use

[jfdavis668]

Mostly bitcoin mining bots.

Spectre v4

This is nice and all, but why was Windows 8.1 and Server 2012 R2 skipped when implementing Spectre v4 mitigations? According to https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012 only 7, Server 2008 R2, 10 and 10-based Servers had the fixes, which for some reason are also turned off by default even on Client versions. The previous Spectre/Meltdown patches were turned on by default on Client and off on Server.

The performance impact is within margin of error for some simple tests (compute, SSD and network) I did with a Kaby Lake CPU with the proper new microcode, so this can't be the reason.

Re:Spectre v4

[ElizabethGreene]

The speculative store bypass is disabled by default because, from the link you posted, "At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate. [...] If a vulnerable code pattern is found, we will address it with a security update."

As to 2012r2/8.1, good question. I would be surprised if those weren't added in a future release.

Re:Spectre v4

Thanks, I missed that part.

Re:Spectre v4

> but why was Windows 8.1 and Server 2012 R2 skipped when implementing Spectre v4 mitigations

because 7 is EOL soon, it doesn't matter; and 8.1 is not windows version that microsoft desperately wants you to be using. just another way to force people to win10.

In other words...

[110010001000]

...we have some arbitrary promises about security and we evaluate each bug against those arbitrary promises. Oh, and we have no legal liabilities or requirements to do anything, so you have no recourse so stop complaining.

Code

if (paying_customer) {
              deploy_fix();
              charge_customer_more();
} else {
              deploy_rushed_buggy_fix_and_let_customer_test();
}

if (can_make_more_money) {
              do_not_deploy_fix();
}

if (issue_is_critical) {
                deploy_fix_with_mandatory_telemetry_update();
                add_more_data_exfiltration();
                charge_customer_more();
} else {
              charge_customer_more_anyway();
              add_more_data_exfiltration(0;
              add_telemetry_update();
              deauthorize_windows_just_for_fun();
}

Re: Code

Are you an open sores developer? Your cascading if statements are reminiscent of a high school coding project.

Re: Code

10 CLS
20 START BSOD
30 GOTO 10

Re: Code

I'm a java developer, writing the next Windows OS, which will be written in Java, and run on a java machine written in java, running a java VM written in java, running class libraries written in java, running on a vm written in java.

When your PC boots in a month, and after the profiler runs in another week, the OS will be super fast and responsive.

You sound old, are you an ASSembly programmer?

Re: Code

Best part is every layer of JIT makes it even faster than the last.
As we all know, VMs are faster than bare metal.

Re:Code

The vulnerabilities they patch probably have more to do with the ones they can figure out how to patch without breaking everything else than how critical they actually are.

Who Cares

swiched to Linux long ago

I had win10 on a new PC for a short while

[FudRucker]

and i decided to upgrade it myself with Linux, buh bye microsoft spyware

Re:I had win10 on a new PC for a short while

bye bye windows, hello shit desktop (ie. recompiling thunar cause it crashes when renaming a file)

Re:I had win10 on a new PC for a short while

Compiling? Are you the same one talking about kernel panics being common in modern Linux a few Microsoft articles ago?

Your information is grossly out of date unless you're thinking of making your general-use average desktop Linux box with Gentoo or Linux From Scratch. :P Pre-compiled binaries from each distro tend to be the norm, not the exception.

Captcha: unseen

Block those exploiting vulnerabilities

See subject & via APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between characters & download).

Yields more security/speed/reliability/anonymity vs. any SINGLE solution (99% of threats = hostnames vs. IP address (that most firewalls use)) more efficiently/FASTER + NATIVELY 4 less!

(... Vs. "Bolt on 'MoAr' illogic-logic" competitors slowing you, hosts speed you up 2 ways (adblocks + hardcodes u spend most time @) vs. competition loaded w/ bugs (DNS/AntiVir) + their overheads (messagepass ('souled-out' to advertiser addons) + filtering drivers) & their complexity leads to exploitation).

* Created in FreePascal/Lazarus 1.8.2 using GTK3 on OpenGL 3.1 via KDE Plasma desktop on Kubuntu 18.04 plus patches.

APK

P.S.=> Enjoy - it's much better vs. the Windows model on many fronts (speed & efficiency, mostly (plus new "merge" feature))... apk

Registered /.ers opinions of the Win64 model

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

(APK's work), I've flat out said it's good by BronsCon February 11 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

I do use APK's host file on all my systems at home by OrangeTide December 01 2017

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* See subject: Best part's this Linux 64-bit model is faster & more efficient (does 2x the work in 1/2 the time, literally)

APK

P.S.=> Enjoy a faster/safer/more reliable internet... apk

Microsoft Explains How Bugs Fixed In Windows

cp /dev/null /usr/microsoft/whitepaper.txt

How they really decide

[cellocgw]

Just substitute "operating system" for "car" .

Narrator:
A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.

Business woman on plane:
Are there a lot of these kinds of accidents?

Narrator:
You wouldn't believe.

Business woman on plane:
Which car company do you work for?

Narrator:
A major one.

Re:How they really decide

[viperidaenz]

Since when did my operating system have a differential?

Rename Slashdot to: "THE MICROSOFT BLOG!"

can't have too many M$ FP stories a day!

LAME!

Re:Rename Slashdot to: "THE MICROSOFT BLOG!"

[TimSSG]

Am I the only one how read the tread title as "THE MICROSOFT BORG!"? Tim S.

OSS

In the meantime in the opensource world you can get an update as soon as someone creates fix.

Three Letters

Ess Pee Aitch

I'll also get my response to your inevitable reply in right now, to save time : "I didn't read your post. SPH. You're welcome".

Re:Block those exploiting vulnerabilities

1) APK is never wrong

2) APK is the greatest thing since sex. In fact, the fact that APK has deigned to grace us with his presence here is better than sex and we must bow down before the mighty APK.

3) Even if you can show that you wrote a program to invoke world peace, have all the taxes you ever paid refunded legally, and give you head each morning, unless you got a better rating from ZDNet than APK, you still ain't shit, and more specifically, you ain't a pimple on the ass of the mighty and powerful APK.

4) Network engineers ain't shit, most especially compared to the deity-on-earth known as APK. APK Knows this because many years ago, he was an NT admin for a couple of years.

5) APK knows all computer law better than the DOJ web site.

Re: Registered /.ers opinions of the Win64 model

I lack the social skills to recognize how incredibly annoying I am. Instead of growing as a person, I'll just attack people and cyber stalk anyone who's ever criticized me while logged in.

APK

P.S.=> No really, I'm just completely out of the loop on this whole thing, and would really benefit from someone explaining to me why my behaviors are destructive and irritating.

Golly: It's my unidentifiable ac stalker

See subject: Grow up OR take your loony bird meds ok? I'm never wrong against losers like you, that's certain, & you're obviously butthurt over that.

* SysAdmins (which YOU have given away is the MOST you are - ain't much & why) are the 1 thing I will address from your blatant immature lunacy - & with NOTHING BUT truth/fact: They're merely USERS w/ a BETTER PASSWORD (imo, failed programmers who upon finding out it's a LOT tougher to write code than to merely USE OTHERS' CODE that actually write tools they merely USE in "scriptkiddie SCRYPTZ") - no denying it.

APK

P.S.=> What makes ME laugh the MOST @ 'their kind' (& like you said, I was one until I elevated OVER/BEYOND that limited skillset)? They try "pass it off" like they are "GOD" (lol, bs) - minus coders like myself they are HELPLESS minus tools we create FOR them to "use" (as users with nothing more than a better password) - their illusion goes to MANY of their heads (not all, but many & some actually DO code, but why limit yourself that way to ONLY networking? To each his own on those "exception" RARE cases))... apk