Microsoft lists bugs it won't patch
Microsoft has put out clarification about which bugs it will patch immediately, which ones must wait for a new product release, and which ones it won't address at all. In a draft document posted online on Tuesday, Microsoft laid out the criteria that the Microsoft Security Response Center uses when deciding what to patch and when.
There are two litmus tests that broadly guide these decisions, as the company explained in the document. Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending? Does the severity of the vulnerability, as determined by Microsoft's five-tier rating system, meet the bar for servicing? The bar for servicing, in Microsoft parlance, means that the flaw is rated critical or important, according to the document details.
If the answer to both questions is yes, then the action is to issue a patch, either on Patch Tuesday or, in rare cases, in an out of band release. If the answer to either question is no, then the bug is relegated to back-burner status, with a fix coming in a later release of the product or service. If a flaw has a severity level of moderate, but applies to a security boundary or security feature that has a servicing commitment, then a patch could still be issued. Researchers welcomed the transparency. The only negative here is that by telling people what Microsoft won't fix, Microsoft opens themselves to bugs in those areas. There's a reason Microsoft has chosen not to fix those bugs. It's incredibly unlikely those bugs would be impactful to the end user.
In the draft, Microsoft lists eight security boundaries and nine security features that carry promises for servicing, all of which are part of the company's bug-bounty program. As for the boundaries, Microsoft lists AppContainer sandbox, kernel, network, process, session, virtual machine, Virtual Secure Mode and web browser boundaries as qualifying. The company defines a boundary as "a logical separation between the code and data of security domains with different levels of trust," such as the separation seen between kernel and user mode.
On the security features front, the qualifying items are authentication protocols, BitLocker and Secure Boot, Host Guardian Service, platform cryptography, Windows Defender Application Control, Windows Defender System Guard, Windows Hello and Windows Resource Access Control. Some bypasses are out-of-scope, however, depending on the details of the flaw. Microsoft added a caveat here for defense in depth security features that have by design limitations that prevent them from making a promise even though some of those listed in the document are part of the bug-bounty program. In these cases, Microsoft contends, a bypass can't pose a direct risk because an attacker must also have found a vulnerability that affects a security boundary, or they must rely on social engineering to achieve the initial stage of a device compromise. The user experience makes it feel like a security boundary, but from a technical perspective it really isn't and therefore won't get serviced as a security bug.
The document is just a draft for now, Microsoft is asking for feedback from the research community before publishing a final version. In order to facilitate the discussion, Microsoft is marking their document. This allows security researchers to provide comments on the current draft and offer recommended suggestions for potential changes. Microsoft is handling this type of conversation in a great way, with complete transparency. In a perfect world Microsoft would find a bug and patch a bug and the story is over. Unfortunately, the reality is that not all bugs are created equal, and some patches require a greater investment in time and resources to mitigate. Also, Microsoft has to concern themselves with not just patching a bug and ensuring the patch works, but they must also make sure the patch does not create new issues with their code or with other software, including software created by other organizations that integrates with their code.