Microsoft Explains How it Decides Whether a Vulnerability Will Be Patched Swiftly or Left For a Version Update

Microsoft has published a new draft document clarifying which security bugs will get a rapid fix and which it will let stew for a later release. From a report: The document outlines the criteria the Microsoft Security Response Center uses to decide whether a reported vulnerability gets fixed swiftly, usually in a Patch Tuesday security update, or left for a later version update. Microsoft said in a blogpost the document is intended to offer researchers "better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them." The criteria revolve around two key questions: "Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?"; and, "Does the severity of the vulnerability meet the bar for servicing?" If the answer to both questions is 'yes', the bug will be patched in a security update, but if the answer to both is 'no', the vulnerability will be considered for the next version or release of the affected product or feature.

Moar cases

[billybob2001]

If the answer to both questions is 'yes', the bug will be patched in a security update, but if the answer to both is 'no', the vulnerability will be considered for the next version or release of the affected product or feature.

What if it's 1 yes and 1 no?

Re:Moar cases

The microsoft employee rolls his eyeballs back and does a bsod.

Re:Moar cases

[sconeu]

Next release.

In use

[AHuxley]

by the NSA? FBI? Ongoing investigation?

Re:In use

[jfdavis668]

Mostly bitcoin mining bots.

In other words...

[110010001000]

...we have some arbitrary promises about security and we evaluate each bug against those arbitrary promises. Oh, and we have no legal liabilities or requirements to do anything, so you have no recourse so stop complaining.

Code

if (paying_customer) {
              deploy_fix();
              charge_customer_more();
} else {
              deploy_rushed_buggy_fix_and_let_customer_test();
}

if (can_make_more_money) {
              do_not_deploy_fix();
}

if (issue_is_critical) {
                deploy_fix_with_mandatory_telemetry_update();
                add_more_data_exfiltration();
                charge_customer_more();
} else {
              charge_customer_more_anyway();
              add_more_data_exfiltration(0;
              add_telemetry_update();
              deauthorize_windows_just_for_fun();
}

Re:Spectre v4

[ElizabethGreene]

The speculative store bypass is disabled by default because, from the link you posted, "At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate. [...] If a vulnerable code pattern is found, we will address it with a security update."

As to 2012r2/8.1, good question. I would be surprised if those weren't added in a future release.

How they really decide

[cellocgw]

Just substitute "operating system" for "car" .

Narrator:
A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.

Business woman on plane:
Are there a lot of these kinds of accidents?

Narrator:
You wouldn't believe.

Business woman on plane:
Which car company do you work for?

Narrator:
A major one.

Re:How they really decide

[viperidaenz]

Since when did my operating system have a differential?

Re:Rename Slashdot to: "THE MICROSOFT BLOG!"

[TimSSG]

Am I the only one how read the tread title as "THE MICROSOFT BORG!"? Tim S.