Microsoft has released the criteria used to determine whether a reported and confirmed vulnerability is resolved through a security update or in the next version of Windows. These criteria were released in order to provide insight into the decision making progress and to receive feed back from security researchers.

According to Microsoft, when a vulnerability is reported they evaluate how it should be handled by asking two questions.

  1. Does the vulnerability violate a security boundary or security feature that Microsoft has committed to defending against attacks?
  2. Is the severity of the vulnerability such that it requires immediate attention through the release of a security update?

If the answer to both of those questions is "Yes", then a security update will be released. On the other hand, if the answer to either of the questions is "No", then the vulnerabilitity is usually, but not always, pushed towards being fixed in a new version of the software instead. 

For security boundaries, Microsoft is committed to protecting them, but interestingly not all Windows security features have that same promise.

Defending the boundary

A "Security Boundary" is defined by Microsoft as the "logical separation between the code and data of security domains with different levels of trust".  Bypassing these vulnerabilities is obviously a problem as it means code is being run to perform tasks that should normally not be allowed.

For example, a violation of the "Kernel Boundary" would be if a user mode process is able to access and modify the data or code of the Kernel. Another example that violates the "Virtual Machine Boundary" is if a process in a Guest virtual machine could modify the data or code of the host machine or another guest virtual machine.

Other security boundaries include the Network boundary, Process boundary, AppContainer sandbox boundary, Session boundary, Web browser boundary, Virtual Secure Mode boundary.  Microsoft has committed to protecting all of these boundaries from vulnerabilities that could potentially bypass them.

Not all security features are created equal

While Microsoft is committed to protecting all security boundaries, not all security features are treated the same way. Microsoft explains how they are committed to protecting some security features, but there are other features called "Defense-in-depth" features that they do not have the same commitment.

For example, some security features have an expectation to work as intended, and if they don't, Microsoft promises to resolve them. These include "Windows Hello / Biometrics", "Secure Boot", and "Bitlocker", which all have a strict definition as to how they are intended to secure a computer and its data.

On the other hand, "Defense-in-depth" features are ones that are intended to protect some aspect of Windows, but have no promise to do so. This is because they require an existing "security boundary" to be breached in order to exploit them. Thus fixing the more critical vulnerability in the boundary would protected the defense-in-depth feature from being exploited.

These defense-in-depth features include applications such as Controlled Folder Access, Windows Defender, AppLocker, and User Account Control (UAC). Vulnerabilities in these features will not lead to a security update, but may be resolved in future updates of Windows.

Tying it all together

The last part of the decision process is the severity of the vulnerability. If the vulnerability is Critical or Severe and affects a security boundary or security feature with a promised commitment, then a security update will be released.

On the other hand, if it does not meet both of these criteria, the vulnerability may not be fixed until a new Windows update is released.

Related Articles:

Microsoft October 2018 Patch Tuesday Fixes 12 Critical Vulnerabilities

0Day Windows JET Database Vulnerability disclosed by Zero Day Initiative

Microsoft September 2018 Patch Tuesday Fixes 16 Critical Vulnerabilities

Known Problems & Fixes for October 2018 Windows 10 Updates

Adobe Releases October 2018 Security Updates. None for Flash Player!