Microsoft published two security-related documents recently that describe how the company determines the severity level of vulnerabilities and how it decides when to release the updates.
The first document, Microsoft Vulnerability Severity Classification for Windows, lists information that Microsoft's Security Response Center uses to classify the severity of security issues disclosed to the company or found by company employees.
Microsoft distinguishes between server and client systems, and classifies vulnerabilities accordingly.
Certain vulnerability or attack characteristics may lead to higher or lower severity ratings.
Microsoft revealed in a second document how it determines when to publish security updates for vulnerabilities.
Windows users and administrators know that Microsoft releases security updates on the second Tuesday of every month and that is the most common time for the release. Some security updates need to be released immediately instead; that is the case for vulnerabilities that are exploited actively and on scale. Other security updates may not get released immediately or during Patch Tuesday as they are postponed to the next feature update for a particular version of Windows.
Microsoft Security Servicing Criteria for Windows details the process of determining when to release patches. Two questions are very important when it comes to that:
Microsoft creates security updates for vulnerabilities if the answer to both questions is yes. If at least one answer is no, Microsoft may postpone the update to the next version or release of Windows.
The document provides information on security boundaries, features, and defense-in-depth security features as well.
The two published documents shed some light on the severity rating scheme that Microsoft uses to classify vulnerabilities and how the company determines when to produce security updates for issues and when to push security updates to newer versions of Windows. (via Günter Born)
Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.
Wow what a revelation, I guess MS fanboy base made a lot of babies after the big reveal.
Holy sh*t that means Windows 10 is itself a Critical Security Bug !
Naaah just joking I loved that they installed that 1 Go game without asking me and the integrated keylogger.