back to article Microsoft reveals which Windows bugs it might decide not to fix

Microsoft’s published a draft “Security Servicing Commitments for Windows” in which it explains the bugs it will and won’t fix. The document (PDF) was revealed on June 12th and is intended for security researchers, to offer “better clarity around the security features, boundaries and mitigations which exist in Windows and the …

  1. Multivac

    Would it be at all possible to ........

    .....fix that bug where when you try and use it to open a web browser or open a word document or something and it seems to be very very busy doing something clearly very very important while completely ignoring any of those things I'm trying to do.

    1. Doctor Syntax Silver badge

      Re: Would it be at all possible to ........

      "it seems to be very very busy doing something clearly very very important while completely ignoring any of those things I'm trying to do."

      What? Do you think you're more important than M/S? It'll get round to you when it's your turn and not before.

    2. noboard

      Re: Would it be at all possible to ........

      But if they didn't do that, they wouldn't be able to make IE and Edge look really fast when they open up. It's the only trick they've got.

    3. Anonymous Coward
      Anonymous Coward

      'ignoring any of those things I'm trying to do'

      Another one bites-the-dust thinking that Windows is about the end-user. Outside of nursing Win7 or surviving on Linux, windows users are just guinea-pigs for Microsoft's corporate customers!

    4. King Jack
      Trollface

      Re: doing something clearly very very important

      How else is M$ supposed to earn a crust? It has to collect all your personal info and package it up to send to the mothership. That task cannot be delayed for any reason. It needs to know where to look for your latest submissions.

    5. jelabarre59 Silver badge

      Re: Would it be at all possible to ........

      No, you see computers are actually telepathic. They have code in the system that slows the computer down in response to your anxiety level; the more of a hurry you're in, the slower it will run.

    6. phuzz Silver badge

      Re: Would it be at all possible to ........

      It's not really fixing the problem, but buying an SSD (they're pretty cheap now) really helps make any OS (Windows/Linux/OSX etc) feel a lot more snappy, and open programs quicker.

  2. Dan 55 Silver badge

    Pay more, get less

    Now that Windows is SaaS, they're taking away the service.

    Looking forward to Windows getting regularly owned by chaining two or three moderate bugs together.

    1. big_D Silver badge

      Re: Pay more, get less

      This has been standard practice for decades.

      Back in the old Technet CD days, when there were only 10s of thousands of reported issues, you go to see them and there was a report on whether the issue was being addressed or not.

      Some bugs have littlle or no security impact. For example an escalation bug that can only be used when sitting at a machine and using a very complex set of criteria would affect practically nobody, but require, say, a few hundred man hours to fix. That isn't something that they will want to fix, as long as no other method is found to escalate the bug to a higher priority. If somebody has physical access to the machine, they probably don't need the exploit anyway. This would then be looked at, as to whether it will be fixed in a future version, because it isn't urgent and there are better things to spend time on, for example, remote execution and drive-by exploits that are serious and likely to be actively exploited.

      If MS had an infinite number of developers and infinite money, they could fix every bug. But with finite resources, you need to use the resources where it matters most.

      They are just setting out the parameters they use to determine which problems are important enough to fix immediatly, in the near term, in the long term or never so that researchers can understand how the reporting system works - and whether they are likely to get a bug bounty for their work.

      1. Dan 55 Silver badge

        Re: Pay more, get less

        Or there might be something wrong with their development methodology.

        1. Doctor Syntax Silver badge

          Re: Pay more, get less

          "Or there might be something wrong with their development methodology."

          Or their testing.

      2. Amos1

        Re: Pay more, get less

        "If somebody has physical access to the machine, they probably don't need the exploit anyway."

        The reality of malware is that there is almost nothing nowadays that requires true "physical access" and in the age of virtual machines it's even more true. As MS themselves once noted, if the bad guy can get you to run their program on your computer it's not your computer anymore.

        "For example an escalation bug that can only be used when sitting at a machine and using a very complex set of criteria would affect practically nobody ...",

        Not correct, not only because of malware (including JavaScript coming from hacked legit websites) but because one of the beauties of computers is that once someone has figured out how to do something evil, it's almost always trivial for the rest of the world to then do it.

      3. Walter Bishop Silver badge
        Linux

        Re: Pay more, get less

        @big_D: "If MS had an infinite number of developers and infinite money"

        I do believe Windows is such a convoluted mess of spaghetti code, that it's virtually impossible to verify the code is safe, using formal methods. Hey elReg editors, I have an idea, lets blame 'Russian' hackers :]

        1. Joe_the_geek

          Re: Pay more, get less

          Like managing traffic at that (in)famous intersection over in India , next version of Windows might probably be named Hindows10.

    2. Simon Harris Silver badge
      Coat

      Re: Pay more, get less

      "Now that Windows is SaaS..."

      Surely that's BSaaS - Blue Screen as a Service.

      Mine's the one with the recovery disc in the pocket --->

      1. Doctor Syntax Silver badge

        Re: Pay more, get less

        "Blue Screen as a Service"

        Are you sure BS stands for Blue Screen?

  3. N2 Silver badge

    Does that include

    Forced updates?

  4. Chris G Silver badge

    Duty of care

    It would be interesting in the UK at least to see how often MS's lack of interest in fixing bugs that don't meet their criteria would be considered a lapse of Duty of Care.

    From the WiddlyPaedia;

    In English tort law, an individual may owe a duty of care to another, to ensure that they do not suffer any unreasonable harm or loss. ... Generally, a duty of care arises where one individual or group undertakes an activity which could reasonably harm another, either physically, mentally, or economically.

    1. big_D Silver badge

      Re: Duty of care

      And this document explains the rules MS have used since I can remember. You need to then apply that to duty of care.

      The process is about using the resources they have to fix the problems that matter in a timely manner. The question is, of course, whether that falls within duty of care. This gives more transparency into the process they use, it doesn't affect the process itself.

      And it says that problems that have a high priority will be fixed ASAP and problems that have little or no security risk will be put to one side until there is time to deal with them, or incorporate it into the next release.

      1. ForthIsNotDead Silver badge

        Re: Duty of care

        The article says may owe a duty of care. In other words, it would have to be tested in court.

        The other complication is, you accept a licence agreement when you install the software, which will say something along the lines of "Microsoft accepts no responsibility for... By using this software You agree to indemnify Microsoft against all claims..." etc. etc... In other words, you're entering in a contract.

        After that point, you're down to convincing a judge why it is that the issue at hand is sufficient to consider the terms of the contract to have been broken, and why one should be compensated.

        It's shit, but that's how they (all - not just MS) get around it, I guess.

        1. Doctor Syntax Silver badge

          Re: Duty of care

          "Microsoft accepts no responsibility for... By using this software You agree to indemnify Microsoft against all claims..." etc. etc... In other words, you're entering in a contract.

          If such a set of contract terms attempts to overrule statutory obligations it'll get chucked out of court.

    2. Jim Mitchell

      Re: Duty of care

      If you want your complex software product to be completely bug free before being sold, you will never get to use the product. Enjoy your abacus.

  5. Anonymous Coward
    Anonymous Coward

    New Policy = Microsoft's carte-blanche to avoid treading on the GCHQ/NSA's toes at the coalface.

    Does fixing a bug block known code from GCHQ/NSA Data Slurping?

    Yes -> Has the bug being found by security researchers?

    Yes -> It may be fixed (See table).

    No -> Not our problem, see GCHQ/NSA.

    New (alleged) Policy:

    MS does do backdoors, but only ones that are known to GCHQ/NSA and not Security researchers.

  6. msknight Silver badge

    So....

    They sort of have a policy, which they may or not apply, depending on whether they feel like it, or whether or not it has hit the international press...

    1. msknight Silver badge

      Re: So....

      Aha! A downvote! - The M$ shill strikes again !!!

      1. msknight Silver badge
        Happy

        Re: So....

        Love this place :-D

        1. GnuTzu Bronze badge

          Re: So....

          @msknight, I wonder how many here follow your Linux/tech vids on YouTube.

          1. msknight Silver badge

            Re: So....

            Probably none ... I've shifted to Vimeo :-D ... and I'm mildly amazed (and slightly humbled) that anyone here knows of my channels.

  7. Anonymous Coward
    Anonymous Coward

    MS Logic

    User: Help! The auto-update broke my driver and gave me BSOD!

    MS: Let's see. Check Q1, this isn't a vulnerability so no promise made, so No. Check Q2, does it still meet the bar for servicing... Cloud service is working, users' subscription still getting auto renew. So also No. No fix is required!

    User: F*ck u.

    1. Anonymous Coward
      Anonymous Coward

      Re: MS Logic

      You're absolutely right! If you apply the *Security Servicing* set of questions to an issue which is *not a security issue* you will always get the answer "No security fix is required".

      Luckily for you there are other rules in place which govern non-security related issues, such as drivers causing BSODs :)

    2. Ken Hagan Gold badge

      Re: MS Logic

      "The auto-update broke my driver and gave me BSOD!"

      If that can be triggered remotely, it's a denial-of-service attack. For example, a BSOD in the driver for a network card or storage driver would fit the bill if it was triggered by particular patterns of data (that an attacker could easily provide from the outside).

      Given the scope for additional corruption of the system, unknown in both extent and location, if you can BSOD a box, it is probably quite a serious security bug.

      1. LateAgain

        Re: MS Logic

        Surely auto updates that kill your machine are by definition Remote Denial of Service?

  8. Chris G Silver badge

    Who's your daddy?

    Looking at the downvotes so far, it would appear there is a shill on the premises.

    I am expecting a comment in support of MS's decision to treat bugs in this way at any moment.

    1. Anonymous Coward
      Anonymous Coward

      Re: Who's your daddy?

      Hey this is a good thing. Think about it, the less updates and fixes the less chance of your computer breaking. I can't see why people are complaining. It is free after all.

      Regards,

      Microsoft Shill

      1. Chris G Silver badge

        Re: Who's your daddy?

        You may be right there.

        I only install the updates I want, the rest are ignored.

      2. This post has been deleted by its author

    2. Ken Hagan Gold badge

      Re: Who's your daddy?

      "I am expecting a comment in support of MS's decision to treat bugs in this way at any moment."

      Well, yes. Perhaps someone who read the fucking article will chip in. MS are saying that they will prioritise bugs that are both serious and which undermine the system owner's control of the system. Bugs that either aren't serious or that can be mitigated by the system owner being a bit more careful, are a lesser priority and will be dealt with as resources permit.

      We can argue about what "serious" means and how many resources should be available, but the policy sounds quite reasonable and most large FOSS projects operate the same way. (In fairness, one or two look like their policy is "I'll fix what I'm interested in and you lot can piss off." but most *large* projects aren't run that way.)

  9. Thoguht Silver badge

    If you think all this is bad, you should try getting them to fix a bug in Windows Mobile 6.5.

    1. Waseem Alkurdi

      Like this ...

      ... bug in 2010?

      https://www.wired.com/2010/01/windows-mobile-bug-dates-messages-from-2016/

  10. Wolfclaw Silver badge

    Step 1. Will it cost Microsoft in a big lawsuit, if yes, fix it, if no, hide all evidence, play dumb and ignore the users.

    Setp 2. If it will cost us money, can we get away with EOL the product so we can ignore the issues.

    Step 3. Can we blame another parties software.

    Step 4. Will it bork machines, if yes, rollout a fix anyway.

  11. Aristotles slow and dimwitted horse Silver badge

    How about fixing the one where...

    Having been unable to prevent my Windows 10 laptop from installing the latest shambles of an update pack, how about fixing the one that has totally shafted the wifi adapter so it now won't connect to anything whatever steps I take.

    Also, how about giving me back the choice to update or not.

    Seriously pissed off with M$ about this.

    1. TVU Silver badge

      Re: How about fixing the one where...

      "Seriously pissed off with M$ about this"

      An option might be to try out the Windows-like Linux Mint Mate and opt to install proprietary extras if and when asked. That should give you a working laptop and I should add that Linux Mint Mate can be tried out in advance using a live USB or DVD.

  12. elvisimprsntr

    "...how about fixing the one that has totally shafted the wifi adapter so it now won't connect to anything whatever steps I take.

    M$: Thank you for discovering and reporting a security vulnerability. We pushed a security update to your system to fix the vulnerability. Your computer should no longer be at risk.

    1. Anonymous Coward
      Anonymous Coward

      Your computer should no longer be at risk.

      Yes classic M$ solution is to make certain the OS machine will not load, so whilst "approved" hardware vulnerabilities still work for agency X, user won't be able to add any additional malware unless they wipe and reinstall.

  13. Doctor Syntax Silver badge

    "Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?"

    Promises?

  14. Herring`

    What would be more useful is the list of bugs that they are going to introduce.

  15. <BLINK/>

    Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth

  16. Anonymous Coward
    Anonymous Coward

    That M$ seemingly do not have enough money to employ enough "experts"...

    ... to deal with the bugs found so far is not an excuse, especially when M$ have a policy of including old code (known to be insecure) in a "new" OS release and only then applying a fix to the "new" OS.

    That the same company has for years been advertising the "security" improvements of each new revision, I would say that is a promise that they never kept.

  17. Pascal Monett Silver badge

    What all this boils down to

    This article basically points out that Microsoft's reaction to a bug is as follows :

    - is it a nuisance ?

    and

    - do we care ?

    I think that clarifies things pretty well.

  18. Stevie Silver badge

    Bah!

    Not to pile on, but I read those bullets as:

    1) Did we unambiguously say in writing that the product would NOT do what it is now doing?*

    2) Can we be arsed to fix it?

    * - And we should fire whoever wrote that soonest.

  19. Anonymous Coward
    Anonymous Coward

    Downcast

    Every post over ~ 50 minutes old that said anything less than glowing about Microsoft got at least 2 downvotes. Every one. I've always wondered at this obvious stupidity. Is it Microsoft, lackeys, or both! Well, both specialize in repeated stupid.

    BTW: 'lackeys' b/c I and others are Windows users by necessity, not preference. Just ask Windows users for opinions: if the air doesn't turn blue you'll have found a lackey.

  20. ITS Retired

    These bug fixes... Or not

    "The document also explains that it rates bugs on a five-step scale - Critical, Important, Moderate, Low, and None – and that Microsoft only fixes Critical and Important flaws."

    So, after a while the software will be so full of Moderate and Low bugs, as to be unfit for purpose?

    1. EnviableOne Bronze badge

      Re: These bug fixes... Or not

      thats when they issue a service pack with a whole new bunch of bugs features to find

  21. adnim Silver badge

    "Draft document explains where Redmond thinks its responsibility ends"

    Seems to me Redmond thinks its responsibility ends at the EULA.

  22. Deliberatus1

    This is a surprise?

    Yet ANOTHER example of why to NOT use windows, or trust Microsoft.

  23. Anonymous Coward
    Anonymous Coward

    Can't fix 'em all

    They must leave a few bugs in place so that the NSA can peek at any time

  24. JakeMS Silver badge

    Well

    This just shows how much MS care about how well their software works (if at all) doesn't it?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019