Microsoft SDL Bug Bar (original) (raw)
Microsoft Vulnerability Severity Classification for Windows
Our commitment to protecting customers from vulnerabilities in our software, services, and devices includes providing security updates and guidance that address those vulnerabilities when they are reported to Microsoft. We want to be transparent with our customers and security researchers in our approach. The information listed in this bug bar is used by the Microsoft Security Response Center (MSRC) to triage bugs and determine bug severity in terms of security.
When a vulnerability in one class (e.g. EOP) can be combined with By-Design behavior to achieve higher class vulnerability (e.g. RCE), the vulnerability is rated at the higher class.
The ratings are derived from MSRC advisory rating classifications. This bug bar describes different severities for client software (defined as software that runs locally on a single computer or software that accesses shared resources provided by a server over a network) and server software (computers configured to run software that await and fulfill requests from client processes running on other computers).
Server – Severity Pivot
The server bar is usually not appropriate when user interaction is part of the exploitation process. If a Critical vulnerability exists only on our server products and is exploited in a way that requires user interaction and results in the compromise of the server, the severity may be reduced from Critical to Important in accordance with the definition of extensive user interaction presented at the start of the client severity pivot.
| Severity | Vulnerability Types |
|---|---|
| Critical | Summary: (Server) – “Network Worms or unavoidable cases where the server is “compromised” **Elevation of Privilege (EoP)**The ability to either execute arbitrary code OR obtain more privilege than authorizedRemote Anonymous UserExecution of Arbitrary codeUnauthorized File System Access – Arbitrary writing to file systemSQL Injection (that allows code execution)Exploitable memory corruption issues in remote anonymously callable code Guest virtual machineIn a virtualized environment, a vulnerability allows the guest VM to cause arbitrary code execution in the host machine, effectively defeating the virtualization security boundary. |
| Important | Summary: (Server) – “Non-default critical scenarios or cases where mitigations exist that can help prevent critical scenarios.” **Denial of Service (DoS)**Must be "easy to exploit" by sending a small quantity of data or executing another simple and reliable attack.If connections have to be maintained for the DoS to persist, this will be a Moderate class issue.AnonymousPersistent DoSAgainst a service from the Server Roles list within the 'Add Roles and Features Wizard' of Windows ServerSending a small number of packets that causes a service failure in one of the aforementioned services Causing a rebootSending a single malicious TCP packet results in a system crash Temporary DoS with amplificationSending a small number of packets that causes the system to be unusable for a period of time. Example: A web server (like IIS) being down for a minute or longer. AuthenticatedPersistent DoS **against a high value asset**Sending a small number of packets that causes a service failure for a high value asset in server roles (ex: Certificate Server, Kerberos server, Domain Controller). For example, when a domain authenticated user can DoS a Domain Controller. Guest virtual machineIn a virtualized environment, a vulnerability allows the guest VM to cause denial of service in the host machine or another guest machine, effectively defeating the virtualization security boundary. Elevation of PrivilegeThe ability to either execute arbitrary code OR obtain more privilege than authorizedRemote Authenticated UserLocal Authenticated User (Terminal Server)Unauthorized File System Access - Arbitrary writing to file systemExecution of Arbitrary codeExploitable memory corruption issues in code that can be accessed by remote or local authenticated users that are not administrators. (Administrator scenarios do not have security concerns by definition, but are still reliability issues) **Information Disclosure (Targeted)**Personally Identifiable Information (PII) disclosure:Disclosure of PII (examples: email addresses, phone numbers, credit card info)Attacker can collect PII without user consent or in a covert fashion Unintentional read access to memory contents in kernel space from a non-administrative user mode processIn a virtualized environment, a vulnerability allows the guest VM to obtain current or previous memory contents of the host or another virtual machine, effectively defeating the virtual machine boundary. SpoofingAn entity (computer, server, user, process) is able to masquerade as a specific entity (user or computer) of his/her choice.Web server uses client certificate authentication (SSL) improperly to allow an attacker to be identified as any user of his/her choiceNew protocol is designed to provide remote client authentication, but flaw exists in the protocol that allows a malicious remote user to be seen as a different user of his/her choiceAn anonymous user is able to coerce an endpoint to authenticate, with no user interaction, to an arbitrary, attacker-controlled machine, where the authentication could then be relayed to a vulnerable service TamperingModification of any high value asset data in a common or default scenario where the modification persists after restarting the affected software.Permanent or persistent modification of any user or system data used **in a common or default scenario.**Modification of application data files or databases in a common or default scenario e.g. Authenticated SQL InjectionProxy cache poisoning in a common or default scenarioModification of OS or application settings without user consent in a common or default scenario Security Feature BypassBreaking or bypassing any security feature providedDisabling or bypassing Windows Defender Application Guard without informing user or gaining consentDisabling or bypassing Secure Boot without informing user or gaining consentWindows Hello bypassBitLocker bypass, ex: not encrypting part of the drive |
| Moderate | Denial of Service (DoS)AnonymousTemporary DoS without amplification in a default/common installRemote clients consuming all available resources (sessions, memory, etc.) on a server by establishing sessions and keeping them open AuthenticatedPersistent DoSLogged in Exchange user can send a specific mail message and crash the Exchange Server, and the crash is not due to a Write AV, exploitable read AV, or integer overflow Temporary DoS with amplification in a default/common installAn ordinary SQL Server user executes a stored procedure installed by some product and consumes 100% of the CPU for a few minutes **Information Disclosure (Targeted)**Cases where the attacker can easily read information on the system from specific locations, including system information, that was not intended/designed to be exposedTargeted disclosure of anonymous dataTargeted disclosure of the existence of a fileTargeted disclosure of file version number SpoofingAn entity (computer, server, user, process) is able to masquerade as a different, random entity that cannot be specifically selected.Client properly authenticates to server, but server hands back a session from another random user who happens to be connected to the server at the same timeMS04-002 (HTTP/NTLM & Exchange) An entity (computer, server, user, process) is able to masquerade as a specific entity (user or computer) of his/her choiceThe issue can be triggered either by an authenticated user or through user interaction, resulting in an endpoint authenticating to an arbitrary, attacker-controlled machine, where the authentication could then be relayed to a vulnerable service TamperingPermanent or persistent modification of any user or system data **in a specific scenario**Modification of application data files or databases **in a specific scenario**Proxy cache poisoning **in a specific scenario**Modification of OS/application settings without user consent in a specific scenario Temporary modification of data in a common or default scenario that does not persist after restarting the OS/application/session Security AssurancesA security assurance is either a security feature or another product feature/function that customers expect to offer security protection. Communications have messaged (explicitly or implicitly) that customers can rely on the integrity of the feature, and that’s what makes it a security assurance. Security advisories may be released for a shortcoming in a security assurance that undermines the customer’s reliance or trust.Processes running with normal “user” privileges cannot gain “admin” privileges unless admin password/credentials have been provided via intentionally authorized methodsInternet-based JavaScript running in Microsoft Edge or Internet Explorer cannot control anything the host operating system unless the user has explicitly changed the default browser security settings |
| Low | **Information Disclosure (Untargeted)**Runtime informationLeak of non-sensitive memory TamperingTemporary modification of data in a specific scenario that does not persist after restarting the OS/application/session |
Client – Severity Pivot
Extensive user interaction is explained as follows:
- “User interaction” usually happens in client scenarios
- Normal, simple user actions like clicking links, previewing mail (including attachments), viewing local folders or file shares, opening a file (without any warning dialog) are not “extensive user interaction”
- Extensive: User manually navigating to a particular web site (ex: typing in URL) or clicking through one or more decision dialogs
- NOT Extensive: User clicking through email links
Clarification: Note that the effect of “extensive user interaction” is not “one level reduction in severity,” but is and has been “a reduction in severity in certain circumstances” where the phrase “extensive user interaction” appears in the bug bar. The intent is to help differentiate fast spreading and wormable from those where, because the user interacts, the attack is slowed down. This bug bar does not allow us to reduce Elevation of Privilege below Important because of user interaction.
| Severity | Vulnerability Types |
|---|---|
| Critical | Summary: (Client) – “Network Worms, or unavoidable common browsing/use scenarios where client is compromised without warnings or prompts. Elevation of Privilege (Remote)The ability to either execute arbitrary code OR obtain more privilege than intendedUnauthorized File System Access – Writing to file systemExecution of Arbitrary code – without extensive user actionExploitable memory corruption issues in remotely callable code (without extensive user action) Guest virtual machineIn a virtualized environment, a vulnerability allows the guest VM to cause arbitrary code execution in the host machine, effectively defeating the virtual machine boundary |
| Important | Summary: (Client) – “Common browsing/use scenarios where client is compromised with warnings or prompts, or via extensive actions without prompts.” Note that this does not discriminate over the quality/usability of a prompt and likelihood a user might click through the prompt, but just that a prompt of some form exists. Elevation of Privilege (EoP)RemoteExecution of Arbitrary code – with extensive user actionAll Write AVs (Access Violations), all kernel-mode Read AVs (Access Violations), other exploitable read AVs, or integer overflows in remote callable code (with extensive user action)Windows Store and Mobile ApplicationsExecution of arbitrary code outside the restricted app container context without user interactionUse of capabilities without informing the userUse of location capability without informing the userUse of SMS capability without informing the user LocalLocal low privilege user can elevate his/her rights to those of another user, administrator, and/or local systemAll Write AVs (Access Violations), all kernel-mode Read AVs (Access Violations), and exploitable integer overflows **Information Disclosure (Targeted)**Any cases where the attacker can bypass a security boundary to read information on the system that was not intended or designed to be exposedUnauthorized File System Access - Reading from file systemUnintentional read access to memory contents in kernel space from a user mode processIn an environment where a client is connecting to a server, a web browser connecting to a webserver for example, a vulnerability allows an attacker to collect information that facilitates predicting addressing of the memory layout. In turn the attacker could use this information to deliver tailored exploits to bypass memory protection technologies such as DEP and ASLR for an additional RCE vulnerabilityExploitable memory corruption issues in code that can be accessed by remote or local authenticated users that are not administrators. (Administrator scenarios do not have security concerns by definition, but are still reliability issues)In a virtualized environment, a vulnerability allows the guest VM to obtain current or previous memory contents of the host or another virtual machine, effectively defeating the virtual machine boundaryDisclosure of Personally Identifiable Information (PII)Disclosure of PII (example: email addresses, phone numbers) **Denial of Service (DoS)**System Corruption DoS that requires re-installation of the system and/or componentsVisiting a web page causes registry corruption that makes the machine un-bootableDrive-by DoSCriteria:Unauthenticated system DoSDefault exposureNo user interactionNo Audit and punish trailExample: Drive-by Bluetooth system DoS SpoofingAbility for an attacker to present UI that is different from but visually identical to UI which users must rely on to make valid trust decisions in a default/common scenario. A trust decision is defined as any time the user takes an action believing some information is being presented by a particular entity, either the system or some specific local or remote sourceDisplaying a different URL in the browser’s address bar from the URL of the site that browser is actually displaying in a **default/common scenario**Displaying a window over the browser’s address bar that looks identical to an address bar but displays bogus data in a **default/common scenario**Displaying a different file name in a “Do you want to run this program?” dialog box than that of the file that will actually be loaded in a **default/common scenario**Display a "fake" login prompt to gather user or account credentials An entity (computer, server, user, process) is able to masquerade as a specific entity (user or computer) of his/her choiceAn anonymous user is able to coerce an endpoint to authenticate, with no user interaction, to an arbitrary, attacker-controlled machine, where the authentication could then be relayed to a vulnerable service TamperingPermanent or persistent modification of any user data or data used to make trust decisions in a common or default scenarioWeb browser cache poisoningModification of significant OS/application settings without user consentModification of user dataWriting of arbitrary data outside of the app container context without user interaction Security Feature BypassBreaking or bypassing any security feature providedDisabling or bypassing Windows Defender Application Guard without informing user or gaining consentDisabling or bypassing Secure Boot without informing user or gaining consentWindows Hello bypassBitLocker bypass, ex: not encrypting part of the drive |
| Moderate | **Denial of Service (DoS)**Permanent or persistent DoS – Requires cold reboot or causes system crashOpening a Word document causes the machine to crashBrowsing the Internet causes machine to crashLaunching a Windows Store app causes machine to crash **Information Disclosure (Targeted)**Cases where the attacker can read information on the system from known locations, including system information, that was not intended/designed to be exposedTargeted existence of fileTargeted file version number Information Disclosure (Unencrypted connection) - Windows Store ApplicationsCases where the attacker can read information from the unencrypted connectionThe application is revealing user’s personal information – email address, name and surname, insurance number, medical information, national identification or any other data that can be used to identify the userThe application is revealing user’s data – GPS coordinates, translator search, search queries or any other data that can be used to identify user preferencesThe application is revealing internal IP addresses and the device data (ID, name or other) Information Disclosure (Third party) - Windows Store ApplicationsCase where the information is sent to the third-party serverThe application is sending trackable information such as: user’s email address, user’s GPS coordinates, device data (ID, name or other) or internal IP SpoofingAbility for attacker to present UI that is different from but visually identical to UI that users are accustomed to trust in a specific scenario. “Accustomed to trust” is defined as anything a user is familiar with based on normal interaction with the OS/application but does not typically think of as a “trust decision”Displaying an email attachment with a file extension that is different from the file’s actual extension An entity (computer, server, user, process) is able to masquerade as a specific entity (user or computer) of his/her choiceThe issue can be triggered either by an authenticated user or through user interaction, resulting in an endpoint authenticating to an arbitrary, attacker-controlled machine, where the authentication could then be relayed to a vulnerable service Windows Store ApplicationsThe application displays web content downloaded from an external serverAbility for an attacker to present UI that is different from but visually identical to UI which users must rely on to make valid trust decisions in a default/common scenarioDisplaying the fake login dialog box. The user can be tricked into entering their account credentials The application is loading any data from the local network IP address. Local address can be easy spoofed especially on the public Wi-Fi networks Security AssurancesA security assurance is either a security feature or another product feature/function that customers expect to offer security protection. Communications have messaged (explicitly or implicitly) that customers can rely on the integrity of the feature, and that’s what makes it a security assurance. Security advisories may be released for a shortcoming in a security assurance that undermines the customer’s reliance or trust.Processes running with normal “user” privileges cannot gain “admin” privileges unless admin password/credentials have been provided via intentionally authorized methodsInternet-based JavaScript running in Microsoft Edge or Internet Explorer cannot control anything the host operating system unless the user has explicitly changed the default browser security settings |
| Low | **Denial of Service (DoS)**Temporary DoS – Requires restart of applicationOpening an HTML document causes Microsoft Edge to AV and crashOpening a jpeg file causes a Windows Store photo viewer app to crash SpoofingAbility for an attacker to present UI that is different from but visually identical to UI **where that UI serves as a single part of a larger attack scenario**User has to go to a “bad” web site, click on a button in spoofed dialog box, and is then susceptible to a vulnerability based on a different browser bug **Information Disclosure (Untargeted)**Leak of non-sensitive heap memory TamperingTemporary modification of any data that does not persist after restarting the OS/application |
Hardware – Severity Pivot
The following terms are used in the definitions of the vulnerabilities:
- Over-the-air (OTA)
- Wi-Fi, Bluetooth, and other supported wireless communications
- External Devices
- Any devices which can be plugged into an existing external port
- This includes all PCIe devices (Thunderbolt, OCuLink), displays/screens, and batteries
- This excludes CPUs, RAM, and power supplies
- Expected user interaction
- User actions which are required to use a legitimate version of the type of device used in an attack
- This includes:
* Unplugging/plugging in the device
* Pressing buttons on the device
* Using an application made to work with this type of device (for example, cameras and microphones are used by Teams)
- Unexpected user interaction
- Any user actions not fitting the expected user interaction definition
- Any user interaction
- Both expected or unexpected user interaction
| Severity | Vulnerability Types |
|---|---|
| Critical | Elevation of Privilege or Remote Code ExecutionOTA drive-by attacks with expected user interaction only. The attacker only needs to be within range of the targeted device to trigger the vulnerability |
| Important | Elevation of Privilege or Remote Code ExecutionOTA attacks with unexpected user interactionAttacks that require connecting an external device either:Without any user interactionWith any user interaction, but the resulting code execution has higher privileges than the user triggering the interactionWith expected user interaction to use a legitimate device and the code execution occurs in the context of the user Denial of ServiceOTA drive-by attacks with expected user interaction. The attacker only needs to be within range of the targeted device to trigger the vulnerability Information DisclosureInformation disclosure that requires connecting an external device either:With or without any user interaction and the leaked data is returned to the deviceWith any user interaction and the data is returned to the user (malicious attacker), but the data comes from a more privileged context than what the malicious user has access to OTA drive-by attacks either:With or without any user interaction and the leaked data is returned to the device or over the airWith any user interaction and the data is returned to the user (malicious attacker), but the data comes from a more privileged context than what the malicious user has access to Denial of ServiceOTA drive-by attacks with expected user interaction onlyThe attacker needs to be within range of the target to trigger the vulnerability |
| Moderate | Elevation of Privilege or Remote Code ExecutionAttacks that require connecting an external device with unexpected user interaction and code execution occurs in the same context as the interacting user Denial of ServiceOTA attacks with unexpected user interaction |
| None | Denial of ServiceAttacks that require connecting an external device and not fitting the important or moderate definitions |
REVISION HISTORY
- March 10, 2025: Bug bar migration to MSRC publishing platform. Additional clarification added to Server - Important Denial of Service definitions
- June 12, 2025: Authentication relay scenarios added to Important and Moderate Spoofing
- January 5, 2026: Hardware severity pivot added