D
Deleted member 178
Thread author
What's a security vulnerability? Most people think this would be an easy question to answer, but in fact it turns out not to be. This article discusses the definition used by the Microsoft Security Response Center (MSRC) to categorize the variety of issues we examine every day.
It may not be obvious at first why it's worth devoting several pages to discussing the meaning of the term. After all, it’s possible to look up both "security" and "vulnerability" in a dictionary and come to a reasonable understanding of what it means. By doing this, you might conclude that a security vulnerability is anything that offers a potential avenue of attack against a system, including things like malware, incorrectly configured systems, passwords written on sticky pads, and so on. It's true that issues like these do increase the risk to a system. However, this is a somewhat broader connotation than what's generally used within the security community and as we assess issues within MSRC.
For the context used in the software security industry and in MSRC, a vulnerability is a security exposure that results from a product weakness that the product developer did not intend to introduce and should fix once it is discovered. This gives the term special relevance to the MSRC, whose job it is to find such weaknesses whenever they exist in Microsoft products and correct them. This definition discussed helps identify problems that can and should be fixed. This article will help you understand what types of issues are generally addressed by security bulletins.
Also confirmed here that UAC isn't a security boundary (which i explained thousands times) so its "bypass" isn't considered a vulnerability.