Microsoft revealed that it asks two questions before providing a security update for a reported and confirmed vulnerability:
- Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?
- Does the severity of the vulnerability meet the bar for servicing?
If the answer to both of these questions is “yes”, then Microsoft will more than likely release a security update to resolve the issue. If the response to either of these questions is no, Microsoft will wait to include a patch in the next version.
Microsoft remarked that it is primarily concerned with protecting “Security Boundaries”. A Security Boundary is a “logical separation between the code and data of security domains with different levels of trust.” Security Boundaries include the Kernel, Virtual Machine, Network, Process, AppContainer sandbox, Session, Web browser, and Virtual Secure Mode boundary. A Security Boundary vulnerability would signify that code is performing a task that it was not intended to execute. Microsoft would likely issue an immediate security update if any of the Security Boundaries have been breached.
The corporation treats other security features differently than their Security Boundaries. Some functions, such as “Secure Boot”, would warrant an immediate security update because they “make a promise related to the threat they are protecting against and there are not expected to be any by design limitations”. “Defense-in-depth” fixes would be saved for a future version of Windows. “Defense-in-depth” features provide additional protection and require an existing Security Boundary. Microsoft would fix an issue with the Security Boundary before patching a “Defense-in-depth” feature, since that function only exists because of the Security Boundary.
Microsoft also rates the severity of vulnerabilities as “critical”, “important”, “moderate”, “low”, or “none”. A “moderate” vulnerability would allow an attacker to disrupt a system or service and/or access protected data. A “critical” vulnerability would enable the attacker to “execute malicious code on a system without user interaction”. An example of a critical situation would be a SMB Remote Code Execution. A security update would be released if a vulnerability was rated as “critical” or “important” and affects a Security Boundary or feature like “Secure Boot”.
Overall, Microsoft’s statement offers a fascinating look into the security procedures of one of the world’s most monetarily valuable corporations. It also partly helps to explain the reasoning behind those pesky Microsoft updates that pop up at the most inconvenient times.