• Microsoft security servicing criteria

    Posted on September 11, 2018 at 11:03 CDT by Comment in the Forums

    There’s some good info buried in here. Microsoft Security Servicing Criteria for Windows.

    One of our goals in the Microsoft Security Response Center (MSRC) is to be more transparent with security researchers and our customers on the criteria we use for determining when we intend to address a reported vulnerability through a security update. Our belief is that improving transparency on this topic helps provide clarity on how we assess risk, sets expectations for the types of vulnerabilities that we intend to service, and facilitates constructive dialogue as the threat landscape evolves over time. Ultimately, we believe this enables us all to work together to better protect Microsoft’s customers.

    There are links to two supporting documents, a lengthy report on how Microsoft identifies security problems (it’s by no means trivial), and how Microsoft assigns severity levels (“Critical,” “Important,” “Moderate,” “Low”) to a specific vulnerability. For example, in order for a security hole to rate a “Critical” rating for a regular ol’ Windows machine (not a server) it must meet this criteria:

    Network Worms, or unavoidable common browsing/use scenarios where client is compromised without warnings or prompts.

    • Elevation of Privilege (Remote) – The ability to either execute arbitrary code OR obtain more privilege than intended. Examples:

    o Unauthorized File System Access – Writing to file system

    o Execution of Arbitrary code – without extensive user action

    o Exploitable memory corruption issues in remotely callable code (without extensive user action)

    • Guest virtual machine

    o In a virtualized environment, a vulnerability allows the guest VM to cause arbitrary code execution in the host
    machine, effectively defeating the virtual machine boundary.

    The structure of the explanation leaves much to be desired, but the underlying intent seems sound to me.

    What would you add? (Or remove?)

    Windows Patches/Security
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    April 2025
    S M T W T F S
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.