Microsoft reveals how it determines the severity of security bugs

Microsoft published two security-related documents recently that describe how the company determines the severity level of vulnerabilities and how it decides when to release the updates.

The first document, Microsoft Vulnerability Severity Classification for Windows, lists information that Microsoft's Security Response Center uses to classify the severity of security issues disclosed to the company or found by company employees.

Microsoft distinguishes between server and client systems, and classifies vulnerabilities accordingly.

Certain vulnerability or attack characteristics may lead to higher or lower severity ratings.

Client versions of Windows

• Critical -- Vulnerabilities that can be exploited without warnings or prompts. Examples include remote elevation of privileges exploits that allow attackers to write to the file system, or execute arbitrary code without user interaction.
• Important -- The main distinguishing factor between critical and important severity ratings is that important vulnerabilities are exploited with warnings or prompts, or via extensive actions without prompt. Examples include local escalation of privilege exploits or the execution of arbitrary code that requires extensive user action.
• Moderate -- Moderate vulnerabilities may allow an attacker to retrieve information from systems, e.g. through non-encrypted connections or spoofing. Also includes some denial of service attacks.
• Low -- The lowest severity rating includes attacks that are temporary in nature, e.g. Denial of Service or modifying data that does not persist across sessions.

Server versions of Windows

• Critical -- Server vulnerabilities such as network worms that compromise the server. Exampls include unauthorized file access and SQL injection attacks.
• Important -- Vulnerabilities such as denial of service attacks or elevation of privileges attacks that are non-default or for which mitigations exist that can prevent critical scenarios.
• Moderate -- Vulnerabilities that usually require specific scenarios, specific locations, or other prerequisites.
• Low -- Information disclosure and tampering that are specific or not targeted.

Microsoft Security Servicing Criteria for Windows

Microsoft revealed in a second document how it determines when to publish security updates for vulnerabilities.

Windows users and administrators know that Microsoft releases security updates on the second Tuesday of every month and that is the most common time for the release. Some security updates need to be released immediately instead; that is the case for vulnerabilities that are exploited actively and on scale. Other security updates may not get released immediately or during Patch Tuesday as they are postponed to the next feature update for a particular version of Windows.

Microsoft Security Servicing Criteria for Windows details the process of determining when to release patches. Two questions are very important when it comes to that:

• Does the vulnerability violate the goal or intent of a security boundary or a security feature?
• Does the severity of the vulnerability meet the bar for servicing?

Microsoft creates security updates for vulnerabilities if the answer to both questions is yes. If at least one answer is no, Microsoft may postpone the update to the next version or release of Windows.

The document provides information on security boundaries, features, and defense-in-depth security features as well.

• Security Boundary -- A security boundary provides a logical separation between the code and data of security domains with different levels of trust
• Security Features -- Security features build upon security boundaries to provide robust protection against specific threats.
• Defense-in-depth security features -- In some cases, a security feature may provide protection against a threat without being able to provide a robust defense. These security features are typically referred to as defense-in-depth features or mitigations because they provide additional security but may have by design limitations that prevent them from fully mitigating a threat

Closing Words

The two published documents shed some light on the severity rating scheme that Microsoft uses to classify vulnerabilities and how the company determines when to produce security updates for issues and when to push security updates to newer versions of Windows.