back to article Microsoft reveals which Windows bugs it might decide not to fix

Microsoft’s published a draft “Security Servicing Commitments for Windows” in which it explains the bugs it will and won’t fix. The document (PDF) was revealed on June 12th and is intended for security researchers, to offer “better clarity around the security features, boundaries and mitigations which exist in Windows and the …

Would it be at all possible to ........

.....fix that bug where when you try and use it to open a web browser or open a word document or something and it seems to be very very busy doing something clearly very very important while completely ignoring any of those things I'm trying to do.

66
2
Silver badge

Re: Would it be at all possible to ........

"it seems to be very very busy doing something clearly very very important while completely ignoring any of those things I'm trying to do."

What? Do you think you're more important than M/S? It'll get round to you when it's your turn and not before.

20
1

Re: Would it be at all possible to ........

But if they didn't do that, they wouldn't be able to make IE and Edge look really fast when they open up. It's the only trick they've got.

13
1
Anonymous Coward

'ignoring any of those things I'm trying to do'

Another one bites-the-dust thinking that Windows is about the end-user. Outside of nursing Win7 or surviving on Linux, windows users are just guinea-pigs for Microsoft's corporate customers!

16
4
Silver badge
Trollface

Re: doing something clearly very very important

How else is M$ supposed to earn a crust? It has to collect all your personal info and package it up to send to the mothership. That task cannot be delayed for any reason. It needs to know where to look for your latest submissions.

8
5
Bronze badge

Re: Would it be at all possible to ........

No, you see computers are actually telepathic. They have code in the system that slows the computer down in response to your anxiety level; the more of a hurry you're in, the slower it will run.

4
1
Silver badge

Re: Would it be at all possible to ........

It's not really fixing the problem, but buying an SSD (they're pretty cheap now) really helps make any OS (Windows/Linux/OSX etc) feel a lot more snappy, and open programs quicker.

0
1
Silver badge

Pay more, get less

Now that Windows is SaaS, they're taking away the service.

Looking forward to Windows getting regularly owned by chaining two or three moderate bugs together.

35
8
Silver badge

Re: Pay more, get less

This has been standard practice for decades.

Back in the old Technet CD days, when there were only 10s of thousands of reported issues, you go to see them and there was a report on whether the issue was being addressed or not.

Some bugs have littlle or no security impact. For example an escalation bug that can only be used when sitting at a machine and using a very complex set of criteria would affect practically nobody, but require, say, a few hundred man hours to fix. That isn't something that they will want to fix, as long as no other method is found to escalate the bug to a higher priority. If somebody has physical access to the machine, they probably don't need the exploit anyway. This would then be looked at, as to whether it will be fixed in a future version, because it isn't urgent and there are better things to spend time on, for example, remote execution and drive-by exploits that are serious and likely to be actively exploited.

If MS had an infinite number of developers and infinite money, they could fix every bug. But with finite resources, you need to use the resources where it matters most.

They are just setting out the parameters they use to determine which problems are important enough to fix immediatly, in the near term, in the long term or never so that researchers can understand how the reporting system works - and whether they are likely to get a bug bounty for their work.

17
11
Silver badge

Re: Pay more, get less

Or there might be something wrong with their development methodology.

19
6
Silver badge
Coat

Re: Pay more, get less

"Now that Windows is SaaS..."

Surely that's BSaaS - Blue Screen as a Service.

Mine's the one with the recovery disc in the pocket --->

25
9
Silver badge

Re: Pay more, get less

"Or there might be something wrong with their development methodology."

Or their testing.

21
4
Silver badge

Re: Pay more, get less

"Blue Screen as a Service"

Are you sure BS stands for Blue Screen?

18
3
Bronze badge

Re: Pay more, get less

"If somebody has physical access to the machine, they probably don't need the exploit anyway."

The reality of malware is that there is almost nothing nowadays that requires true "physical access" and in the age of virtual machines it's even more true. As MS themselves once noted, if the bad guy can get you to run their program on your computer it's not your computer anymore.

"For example an escalation bug that can only be used when sitting at a machine and using a very complex set of criteria would affect practically nobody ...",

Not correct, not only because of malware (including JavaScript coming from hacked legit websites) but because one of the beauties of computers is that once someone has figured out how to do something evil, it's almost always trivial for the rest of the world to then do it.

15
1
Silver badge
Linux

Re: Pay more, get less

@big_D: "If MS had an infinite number of developers and infinite money"

I do believe Windows is such a convoluted mess of spaghetti code, that it's virtually impossible to verify the code is safe, using formal methods. Hey elReg editors, I have an idea, lets blame 'Russian' hackers :]

10
4

Re: Pay more, get less

Like managing traffic at that (in)famous intersection over in India , next version of Windows might probably be named Hindows10.

2
4
N2

Does that include

Forced updates?

25
4
Silver badge

Duty of care

It would be interesting in the UK at least to see how often MS's lack of interest in fixing bugs that don't meet their criteria would be considered a lapse of Duty of Care.

From the WiddlyPaedia;

In English tort law, an individual may owe a duty of care to another, to ensure that they do not suffer any unreasonable harm or loss. ... Generally, a duty of care arises where one individual or group undertakes an activity which could reasonably harm another, either physically, mentally, or economically.

18
9
Silver badge

Re: Duty of care

And this document explains the rules MS have used since I can remember. You need to then apply that to duty of care.

The process is about using the resources they have to fix the problems that matter in a timely manner. The question is, of course, whether that falls within duty of care. This gives more transparency into the process they use, it doesn't affect the process itself.

And it says that problems that have a high priority will be fixed ASAP and problems that have little or no security risk will be put to one side until there is time to deal with them, or incorporate it into the next release.

6
6
Silver badge

Re: Duty of care

The article says may owe a duty of care. In other words, it would have to be tested in court.

The other complication is, you accept a licence agreement when you install the software, which will say something along the lines of "Microsoft accepts no responsibility for... By using this software You agree to indemnify Microsoft against all claims..." etc. etc... In other words, you're entering in a contract.

After that point, you're down to convincing a judge why it is that the issue at hand is sufficient to consider the terms of the contract to have been broken, and why one should be compensated.

It's shit, but that's how they (all - not just MS) get around it, I guess.

10
2
Silver badge

Re: Duty of care

"Microsoft accepts no responsibility for... By using this software You agree to indemnify Microsoft against all claims..." etc. etc... In other words, you're entering in a contract.

If such a set of contract terms attempts to overrule statutory obligations it'll get chucked out of court.

16
1

Re: Duty of care

If you want your complex software product to be completely bug free before being sold, you will never get to use the product. Enjoy your abacus.

5
4
Anonymous Coward

New Policy = Microsoft's carte-blanche to avoid treading on the GCHQ/NSA's toes at the coalface.

Does fixing a bug block known code from GCHQ/NSA Data Slurping?

Yes -> Has the bug being found by security researchers?

Yes -> It may be fixed (See table).

No -> Not our problem, see GCHQ/NSA.

New (alleged) Policy:

MS does do backdoors, but only ones that are known to GCHQ/NSA and not Security researchers.

9
8
Silver badge

So....

They sort of have a policy, which they may or not apply, depending on whether they feel like it, or whether or not it has hit the international press...

28
6
Silver badge

Re: So....

Aha! A downvote! - The M$ shill strikes again !!!

16
16
Silver badge
Happy

Re: So....

Love this place :-D

5
3
Bronze badge

Re: So....

@msknight, I wonder how many here follow your Linux/tech vids on YouTube.

1
0
Silver badge

Re: So....

Probably none ... I've shifted to Vimeo :-D ... and I'm mildly amazed (and slightly humbled) that anyone here knows of my channels.

0
0
Anonymous Coward

MS Logic

User: Help! The auto-update broke my driver and gave me BSOD!

MS: Let's see. Check Q1, this isn't a vulnerability so no promise made, so No. Check Q2, does it still meet the bar for servicing... Cloud service is working, users' subscription still getting auto renew. So also No. No fix is required!

User: F*ck u.

23
9
Anonymous Coward

Re: MS Logic

You're absolutely right! If you apply the *Security Servicing* set of questions to an issue which is *not a security issue* you will always get the answer "No security fix is required".

Luckily for you there are other rules in place which govern non-security related issues, such as drivers causing BSODs :)

3
3
Gold badge

Re: MS Logic

"The auto-update broke my driver and gave me BSOD!"

If that can be triggered remotely, it's a denial-of-service attack. For example, a BSOD in the driver for a network card or storage driver would fit the bill if it was triggered by particular patterns of data (that an attacker could easily provide from the outside).

Given the scope for additional corruption of the system, unknown in both extent and location, if you can BSOD a box, it is probably quite a serious security bug.

2
1

Re: MS Logic

Surely auto updates that kill your machine are by definition Remote Denial of Service?

1
1
Silver badge

Who's your daddy?

Looking at the downvotes so far, it would appear there is a shill on the premises.

I am expecting a comment in support of MS's decision to treat bugs in this way at any moment.

17
11
Anonymous Coward

Re: Who's your daddy?

Hey this is a good thing. Think about it, the less updates and fixes the less chance of your computer breaking. I can't see why people are complaining. It is free after all.

Regards,

Microsoft Shill

23
5
Silver badge

Re: Who's your daddy?

You may be right there.

I only install the updates I want, the rest are ignored.

4
3

This post has been deleted by its author

Gold badge

Re: Who's your daddy?

"I am expecting a comment in support of MS's decision to treat bugs in this way at any moment."

Well, yes. Perhaps someone who read the fucking article will chip in. MS are saying that they will prioritise bugs that are both serious and which undermine the system owner's control of the system. Bugs that either aren't serious or that can be mitigated by the system owner being a bit more careful, are a lesser priority and will be dealt with as resources permit.

We can argue about what "serious" means and how many resources should be available, but the policy sounds quite reasonable and most large FOSS projects operate the same way. (In fairness, one or two look like their policy is "I'll fix what I'm interested in and you lot can piss off." but most *large* projects aren't run that way.)

2
3
Silver badge

If you think all this is bad, you should try getting them to fix a bug in Windows Mobile 6.5.

4
2

Like this ...

... bug in 2010?

https://www.wired.com/2010/01/windows-mobile-bug-dates-messages-from-2016/

1
1
Bronze badge

Step 1. Will it cost Microsoft in a big lawsuit, if yes, fix it, if no, hide all evidence, play dumb and ignore the users.

Setp 2. If it will cost us money, can we get away with EOL the product so we can ignore the issues.

Step 3. Can we blame another parties software.

Step 4. Will it bork machines, if yes, rollout a fix anyway.

11
5
Silver badge

How about fixing the one where...

Having been unable to prevent my Windows 10 laptop from installing the latest shambles of an update pack, how about fixing the one that has totally shafted the wifi adapter so it now won't connect to anything whatever steps I take.

Also, how about giving me back the choice to update or not.

Seriously pissed off with M$ about this.

16
4
TVU
Bronze badge

Re: How about fixing the one where...

"Seriously pissed off with M$ about this"

An option might be to try out the Windows-like Linux Mint Mate and opt to install proprietary extras if and when asked. That should give you a working laptop and I should add that Linux Mint Mate can be tried out in advance using a live USB or DVD.

9
4

"...how about fixing the one that has totally shafted the wifi adapter so it now won't connect to anything whatever steps I take.

M$: Thank you for discovering and reporting a security vulnerability. We pushed a security update to your system to fix the vulnerability. Your computer should no longer be at risk.

8
4
Anonymous Coward

Your computer should no longer be at risk.

Yes classic M$ solution is to make certain the OS machine will not load, so whilst "approved" hardware vulnerabilities still work for agency X, user won't be able to add any additional malware unless they wipe and reinstall.

2
1
Silver badge

"Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?"

Promises?

3
2

What would be more useful is the list of bugs that they are going to introduce.

6
2

Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth

0
2
Anonymous Coward

That M$ seemingly do not have enough money to employ enough "experts"...

... to deal with the bugs found so far is not an excuse, especially when M$ have a policy of including old code (known to be insecure) in a "new" OS release and only then applying a fix to the "new" OS.

That the same company has for years been advertising the "security" improvements of each new revision, I would say that is a promise that they never kept.

10
3
Silver badge

What all this boils down to

This article basically points out that Microsoft's reaction to a bug is as follows :

- is it a nuisance ?

and

- do we care ?

I think that clarifies things pretty well.

5
2
Silver badge

Bah!

Not to pile on, but I read those bullets as:

1) Did we unambiguously say in writing that the product would NOT do what it is now doing?*

2) Can we be arsed to fix it?

* - And we should fire whoever wrote that soonest.

7
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018