Advice Request Definition of a Security Vulnerability (by Microsoft)

Please provide comments and solutions that are helpful to the author of this topic.

Definition of a Security Vulnerability by Microsoft. Do you know it?


  • Total voters
    24
Status
Not open for further replies.
D

Deleted member 178

Thread author
What's a security vulnerability? Most people think this would be an easy question to answer, but in fact it turns out not to be. This article discusses the definition used by the Microsoft Security Response Center (MSRC) to categorize the variety of issues we examine every day.

It may not be obvious at first why it's worth devoting several pages to discussing the meaning of the term. After all, it’s possible to look up both "security" and "vulnerability" in a dictionary and come to a reasonable understanding of what it means. By doing this, you might conclude that a security vulnerability is anything that offers a potential avenue of attack against a system, including things like malware, incorrectly configured systems, passwords written on sticky pads, and so on. It's true that issues like these do increase the risk to a system. However, this is a somewhat broader connotation than what's generally used within the security community and as we assess issues within MSRC.

For the context used in the software security industry and in MSRC, a vulnerability is a security exposure that results from a product weakness that the product developer did not intend to introduce and should fix once it is discovered. This gives the term special relevance to the MSRC, whose job it is to find such weaknesses whenever they exist in Microsoft products and correct them. This definition discussed helps identify problems that can and should be fixed. This article will help you understand what types of issues are generally addressed by security bulletins.

Also confirmed here that UAC isn't a security boundary (which i explained thousands times) so its "bypass" isn't considered a vulnerability.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The UAC is not a typical security boundary. Yet, if we turn it off completely, we have: "security exposure that results from a product weakness that the product developer did not intend to introduce". Where the product is Windows system.
That is why UAC is patched in critical Windows Updates.:)
There are also some security boundaries (Windows built-in SRP), that would be more vulnerable without UAC.
So, UAC is security related, like passwords, disk encryption, etc.
When UAC is set to max, and still can be bypassed, that will be a vulnerability for me.;)

The last word. The definition that contains the words: "developer did not intend to introduce" is pretty useless. It is usually hard to prove what were the developer's intentions.:(
But even with this definition, something like UAC Virtualization bypass should be considered as a vulnerability.
 
Last edited:
5

509322

Thread author
The UAC is not a typical security boundary. Yet, if we turn it off completely, we have: "security exposure that results from a product weakness that the product developer did not intend to introduce". Where the product is Windows system.
That is why UAC is patched in critical Windows Updates.:)
There are also some security boundaries (Windows built-in SRP), that would be more vulnerable without UAC.
So, UAC is security related, like passwords, disk encryption, etc.
When UAC is set to max, and still can be bypassed, that will be a vulnerability for me.;)

The last word. The definition that contains the words: "developer did not intend to introduce" is pretty useless. It is usually hard to prove what were the developer's intentions.:(
But even with this definition, something like UAC Virtualization bypass should be considered as a vulnerability.

This is Microsoft's official position on process elevation - and UAC:

"The primary goal of UAC is to enable more users to run with standard user rights."

"As we've stated since before the launch of Windows Vista, the primary purpose of elevation is not security..."

Written over-and-over again on the net by Mark Russinovich.

Here is one link as an example: User Account Control: Inside Windows 7 User Account Control

UAC has security and security-related benefits, but that is not it's purpose. The above linked article explains - sometimes cryptically - why UAC was implemented.

In a nutshell, use the Standard User Account... UAC is there for convenience. (To understand this you have to make the effort and read the above linked article.)
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I wrote: But even with this definition, something like UAC Virtualization bypass should be considered as a vulnerability.
I must admit that I was wrong (from the Microsoft point of view). UAC is for securing the system from application developers, but not from hackers and criminals.:(
So, every new UAC bypass is from the definition not a vulnerability. Yet, Microsoft is a generous developer, and patches the UAC, because many people wrongly think, that UAC may be vulnerable.:)

Someone spiteful could say, that Microsoft did UAC not so good, then stated that it was done intentionally in this way, so it should never be considered as vulnerable.:confused:

Like all big corporations, Microsoft has good lawyers, that can think out a smart definition to protect the corporation. On the other side, there are Microsoft computer guys, that think out how to make Windows better.:)

Probably, it is true that UAC was not considered to be a security solution. But, it's constantly evolving in this direction.
 
Last edited by a moderator:
5

509322

Thread author
The critical security patches say 'Yes' (mostly).

The official Microsoft position is "No." The patches have nothing to do with UAC as a security feature - which it is not. The patches have everything to do with UAC's own security.

I think the debate about UAC gets muddied by this - it was developed to provide for "convenient security" via the limited\standard user account, never was meant to be a security feature itself, but at the same time UAC itself has security benefits.

Does it provide security ? - well, I think it does for a knowledgeable user that pays attention and exposes the command line to be executed within the alert drop-down menu.

I'm just saying... Microsoft always say "No" where UAC is concerned. Just say "UAC" and someone in Redmond immediately says "No."
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
That is true. Some people even think that dinosaurs evolved from fishes. Microsoft still wants UAC to be the fish. People complain, that UAC is not a dinosaur.

We could debate this till were blue in the face, just slap VoodooShield on there,
and disable UAC :p
Even VoodooShield users, cannot make an agreement about disabling UAC.:)
 
Last edited by a moderator:

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
Even VoodooShield users, cannot make an agreement about disabling UAC.:)
Twice the alerts with something Microsoft doesn't really care about would be too inconvenient for computing. Most probably only argue security and just throw away lack of convenience as an additional con for something they don't like.
One must not have fear for fear allows people the opportunity to fleece you.
 
5

509322

Thread author
Even VoodooShield users, cannot make an agreement about disabling UAC.:)

Just keep it enabled at maximum and make the UAC registry hacks.

For those that know this is not difficult.

Stay out of the UAC debate as it is pointless.

If Microsoft says "No" then that is their prerogative. Their "intent" versus actual UAC "benefits" - it's an argument of intended purpose versus what it actually does. All I know is that a completely unexpected UAC prompt out of nowhere is a fairly good indication that something isn't right on a system.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Twice the alerts with something Microsoft doesn't really care about would be too inconvenient for computing. Most probably only argue security and just throw away lack of convenience as an additional con for something they don't like.
One must not have fear for fear allows people the opportunity to fleece you.

Yes, those are common and very true arguments, when one prefers usability over security.:)
 
  • Like
Reactions: askmark

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
UAC is never become a solution to reduce security vulnerabilities, it's primarily design to monitor any programs with supervision.

Vulnerabilities are often happen everywhere on a product once a leaks or holes were discovered, so it involves more than a tool for solutions.

People should understand that life cycle is important to determine the practicality and reliability of the products.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
Stay out of the UAC debate as it is pointless.
...

Like all debates between evolutionists and creationists.:)

But, I had something different in mind. I do not like the MSRC definition: "a vulnerability is a security exposure that results from a product weakness that the product developer did not intend to introduce and should fix once it is discovered." Especially the phrase "did not intend", which is simply a lawyer precaution.
And the UAC is a simple example of two points of view. The developer view, and the consumer view. Some consumers like the idea, that UAC could evolve in the security solution, because it has potential to be so. That point of view is not shared at all by Microsoft, and Microsoft has full rights to do it.

Finally, I like the debates with you, very much.:)
 

Exterminator

Community Manager
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Hmm sounds to me like Microsoft's definition of a security vulnerability is to free them from any responsibility.
One big fine print disclaimer.
I feel much better about the definition knowing "it isn't intended as a legal document"
They left out "but a double edged sword" though

A Little Fine Print
A final point before discussing the definition of vulnerability: it isn't intended as a legal document. The main goal in developing it was to make it simple and understandable, even if doing so meant that there are few gray areas. As a result, here are some disclaimers.
  • The definition is not a warranty; it's a tool that helps assess whether MSRC should address an issue through a security update. In the end, the decision about which issues warrant bulletins is a judgment call, based on giving our customers the best protection we can. Sometimes bulletins are developed for issues that are, strictly speaking, outside the definition. Likewise, it's conceivable that a particular issue might meet the strict definition but only occur under such rare conditions that customers might be better served if we focused our resources on other, broader, and more impactful problems.

  • The definition isn't a Microsoft corporate standard. It's an informal definition that MSRC uses to prioritize work. It isn't a logo requirement or part of any other corporate standard.
Definition
Now, here’s the definition of a security vulnerability.

A security vulnerability is a weakness in a product that could allow an attacker to compromise the integrity, availability, or confidentiality of that product.

Now let's dissect exactly what the definition means. In the discussion that follows, the critical phrases and words are listed from the definition, defined precisely, and explained with examples with how the definition could be applied to real-life cases.

... a weakness in a product...
  • Weakness: Security vulnerabilities involve inadvertent weaknesses; by-design weaknesses may sometimes occur in a product, but these aren't security vulnerabilities.

  • Product: Security vulnerabilities are a result of a problem in a product. Problems that result from adhering to imperfect but widely accepted standards are not security vulnerabilities.
Average Joe to Microsoft: There was a security vulnerability that you did not patch and my PC exploded :mad:

Microsoft to Average Joe: Well that did not meet our definition of a security vulnerability please refer to this article Definition of a Security Vulnerability
We are sorry for the loss of your PC but might we suggest purchasing a new PC with Windows 10 :)

Average Joe to Microsoft: :(o_O:confused::mad::mad::mad::mad::mad::mad::mad::mad:
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I like this forum, because of so diverse, funny, and mostly polite opinions.:)
 
5

509322

Thread author
Hmm sounds to me like Microsoft's definition of a security vulnerability is to free them from any responsibility.
One big fine print disclaimer.
I feel much better about the definition knowing "it isn't intended as a legal document"
They left out "but a double edged sword" though


Average Joe to Microsoft: There was a security vulnerability that you did not patch and my PC exploded :mad:

Microsoft to Average Joe: Well that did not meet our definition of a security vulnerability please refer to this article Definition of a Security Vulnerability
We are sorry for the loss of your PC but might we suggest purchasing a new PC with Windows 10 :)

Average Joe to Microsoft: :(o_O:confused::mad::mad::mad::mad::mad::mad::mad::mad:

LOL... read any software EULA. The publisher bears no responsibility and makes no representation of merchantability. The soft is offered "As-Is," the licensee uses the soft at their own peril, and the user is responsible for anything that happens on their system. If it weren't that way, then there would be no software industry because the industry would have been plowed-under decades ago from lawsuits.

Even without that definition, the Windows EULA covers Microsoft. It's true... read the Windows EULA.

"should fix once it is discovered."

The word "should" is carefully chosen. "Should," in English, legally means that it is at the publisher's discretion to fix or not to fix. There is no binding obligation or requirement that a fix must be made.

If "should" were replaced with "shall," then the publisher would be legally bound to fix the vulnerability.

You have to be a lawyer and read like a 5-year-old, one word at a time, stop, think - now what does it mean ?, next word, stop, think - now what does it mean ?,...
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
You have to be a lawyer and read like a 5-year-old, one word at a time, stop, think - now what does it mean ?, next word, stop, think - now what does it mean ?,...

I know what you mean, and I have some practice (15 years) in using/interpreting laws.
That is why I said that this definition is a lawyer precaution.
I do not think that MSRC definition of vulnerability will be important for Microsoft when patching Windows. The Microsoft Computer Guys know better what the real vulnerability is.
 
  • Like
Reactions: Handsome Recluse
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top