Microsoft published two security-related documents recently that describe how the company determines the severity level of vulnerabilities and how it decides when to release the updates.
The first document, Microsoft Vulnerability Severity Classification for Windows, lists information that Microsoft's Security Response Center uses to classify the severity of security issues disclosed to the company or found by company employees.
Microsoft distinguishes between server and client systems, and classifies vulnerabilities accordingly.
Certain vulnerability or attack characteristics may lead to higher or lower severity ratings.
Microsoft revealed in a second document how it determines when to publish security updates for vulnerabilities.
Windows users and administrators know that Microsoft releases security updates on the second Tuesday of every month and that is the most common time for the release. Some security updates need to be released immediately instead; that is the case for vulnerabilities that are exploited actively and on scale. Other security updates may not get released immediately or during Patch Tuesday as they are postponed to the next feature update for a particular version of Windows.
Microsoft Security Servicing Criteria for Windows details the process of determining when to release patches. Two questions are very important when it comes to that:
Microsoft creates security updates for vulnerabilities if the answer to both questions is yes. If at least one answer is no, Microsoft may postpone the update to the next version or release of Windows.
The document provides information on security boundaries, features, and defense-in-depth security features as well.
The two published documents shed some light on the severity rating scheme that Microsoft uses to classify vulnerabilities and how the company determines when to produce security updates for issues and when to push security updates to newer versions of Windows. (via Günter Born)Advertisement
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.