Microsoft reveals how it deals with security issues in Windows

Microsoft has released two documents detailing how the company deals with security issues. The documents were prepared by the Microsoft Security Response Center (MSRC) within a year. This department receives and handles security-related reports on bugs.

The two documents consist of a website and a PDF, reports ZDNet. The website, called Microsoft Security Servicing Criteria for Windows, contains information on which type of Windows functions are generally included via Patch Tuesday security updates. The rest of the bugs are left to the general Windows development team. An update for these bugs appears in the semi-annual updates.

The bugs are divided into three categories: security boundaries, security features and defense-in-depth security features. The first category contains clear violations of the data access policy. There are a total of nine types of security boundaries, namely network, kernel, process, AppContainer sandbox, user, session, web browser, virtual machine and the Virtual Secure Mode.

The second category, security features, are errors in apps and other functions on the operating system that are made to strengthen the security boundaries. These include vulnerabilities in BitLocker, Windows Defender and Secure Boot.

The vulnerabilities in these two categories are almost always seen as security problems, which are solved as soon as possible in Patch Tuesday. The third category, defense-in-depth security features, is often less robust than the other two. It only offers extra security. These include User Account Control and AppLocker.

PDF

Microsoft has also released a PDF describing how Microsoft ranks the bug reports by severity. The document explains precisely which bugs are considered critical and which are considered important, medium or low risk.

For example, an error that allows unauthorized access to the file system to write data to the disk is considered critical. An error that only restarts an application has a low risk.