June 22, 2018 | By Joel Odom
Microsoft has published a draft of a six-page document that describes how their security response center decides how to handle vulnerabilities reported by security researchers. The document explains that vulnerabilities that violate certain security boundaries or security features are subject to patching, whereas other vulnerabilities may only be addressed in future versions of their products. The document also clarifies which security features are subject to bug-bounty awards and which are not.
IISP Analyst Joel Odom: "A short draft publication like this may not at first seem to be the kind of material that is worth much commentary, but its release in the security research community has stirred interest because of the insight it provides into what security features Microsoft considers most important. It's an educational piece for security managers and for technical persons alike.
According to the paper, there are two questions that Microsoft asks when deciding how to triage a security vulnerability. The questions can be simplified into: Is the vulnerability dangerous in a security feature that Microsoft is committed to protecting? If the answer is yes, then Microsoft will patch the vulnerability. It's a common-sense question that balances business costs and security. The meat of the paper explains how Microsoft answers this question.
A large section discusses security boundaries. Most computers have network connections, multiple users, and may be used to run software (including web applications) from different sources. Security boundaries to protect a computer and its data reside at the point of network entry, at the boundary between tabs in a web browser, and at the boundary between user applications and the operating system. The rise of virtualization has created the need to protect virtual computers running on the same host from each other. The Microsoft paper includes an informative list of important security boundaries, every one of which Microsoft indicates they are committed to protecting. Understanding these security boundaries is important to understanding how a modern operating system protects data.
The paper also discusses security features, such as access-control features that authenticate users onto the system and that make decisions about what actions an authenticated user is allowed to take. System cryptography services, which both user applications and the operating system use to perform exceptionally sensitive operations, are also included in the list of security features. As in the case of the security boundaries listed in the paper, Microsoft indicates that they are committed to patching all of the security features described in the paper.
We also learn from this document the kinds of features that Microsoft is not necessarily committed to patching. In particular, Microsoft notes that defense-in-depth features, which provide extra layers of safety, will not necessarily be patched if a flow is discovered. For example, User Account Control, which gives a user a visual cue when applications request administrative access to the system, will not necessarily be patched. This is not a problem from a security standpoint. Security is never perfect, and there is always a tradeoff between business requirements and the cost of security. The insight into how Microsoft calculates this tradeoff within the paper should be interesting to security managers and techies alike."
For further reading
- Microsoft Paper: https://msdnshared.blob.core.windows.net/media/2018/06/Microsoft-Security-Servicing-Commitments_SRD.pdf
- Microsoft Blog: https://blogs.technet.microsoft.com/srd/2018/06/12/draft-of-microsoft-security-servicing-commitments-for-windows/
Joel Odom leads a team of researchers focused on software security as branch head for the Cybersecurity, Information Protection, and Hardware Evaluation Research (CIPHER) Laboratory at the Georgia Tech Research Institute. He and his team research static and dynamic software analysis, software testing techniques, software reverse engineering, and software vulnerability discovery and mitigation.