Skip to Content
MIT Technology Review
Sign in

Inside Microsoft’s Security Updates

A team from the Microsoft Security Response Center explains how vulnerability reports become security updates.
March 11, 2009

Ever wondered how Microsoft sorts through nearly 200,000 e-mailed reports of security vulnerabilities each year to produce between 70 and 80 annual security updates? Today at the computer-security conference SOURCE Boston, a team from the Microsoft Security Response Center explained how it does it. The updates, incidentally, are usually released over the course of the year on “patch Tuesday,” the second Tuesday of each month.

Team member David Midturi said that the vulnerabilities e-mailed in to secure@microsoft.com run the gamut in terms of credibility. Some researchers send in detailed papers describing an issue, including executable code demonstrating it in action. Other people send in vague or crackpot reports. Midturi showed one e-mail excerpt claiming that the door sound made by MSN Messenger indicated a serious security vulnerability of some kind. The Microsoft team reads and responds to all legitimate e-mails, usually within one business day.

About 1,000 reports are investigated further by the team, which tries to figure out how likely it is that an attacker will discover and exploit the vulnerability. “The bar for security releases is pretty high,” Midturi said, adding that the team tries to avoid barraging Microsoft customers with endless updates. Many of the software vulnerabilities that aren’t judged to be so serious go on to be fixed in the next service pack, he said.

For those cases that seem serious enough to warrant an immediate fix, the team spends some time trying to see how deep the vulnerability goes. Next, the team comes up with a fix and tests it for compatibility with other patches and other Microsoft software. In some cases, it can take a good six months to explore all the ramifications of a vulnerability and get a comprehensive, compatible fix. When the team does release an update, it rates how critical it is and assigns a number that estimates how likely it is that attackers will start exploiting the flaw within 30 days of the patch’s release.

Of course, sometimes nothing goes according to plan. The team went through how it dealt with a flaw discovered in Internet Explorer last December. Microsoft was unaware of the vulnerability before information was posted on Chinese message boards, along with detailed instructions on how to exploit it. It quickly burst into use in the wild, and the team worked frantically to release a patch, enlisting help from outside security researchers to speed up the process. In that case, it took the team just eight days from the time that it discovered the flaw to the release of the patch.

Keep Reading

Most Popular

DeepMind’s cofounder: Generative AI is just a phase. What’s next is interactive AI.

“This is a profound moment in the history of technology,” says Mustafa Suleyman.

What to know about this autumn’s covid vaccines

New variants will pose a challenge, but early signs suggest the shots will still boost antibody responses.

Human-plus-AI solutions mitigate security threats

With the right human oversight, emerging technologies like artificial intelligence can help keep business and customer data secure

Next slide, please: A brief history of the corporate presentation

From million-dollar slide shows to Steve Jobs’s introduction of the iPhone, a bit of show business never hurt plain old business.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.