Inside Microsoft’s Security Updates
Ever wondered how Microsoft sorts through nearly 200,000 e-mailed reports of security vulnerabilities each year to produce between 70 and 80 annual security updates? Today at the computer-security conference SOURCE Boston, a team from the Microsoft Security Response Center explained how it does it. The updates, incidentally, are usually released over the course of the year on “patch Tuesday,” the second Tuesday of each month.
Team member David Midturi said that the vulnerabilities e-mailed in to secure@microsoft.com run the gamut in terms of credibility. Some researchers send in detailed papers describing an issue, including executable code demonstrating it in action. Other people send in vague or crackpot reports. Midturi showed one e-mail excerpt claiming that the door sound made by MSN Messenger indicated a serious security vulnerability of some kind. The Microsoft team reads and responds to all legitimate e-mails, usually within one business day.
About 1,000 reports are investigated further by the team, which tries to figure out how likely it is that an attacker will discover and exploit the vulnerability. “The bar for security releases is pretty high,” Midturi said, adding that the team tries to avoid barraging Microsoft customers with endless updates. Many of the software vulnerabilities that aren’t judged to be so serious go on to be fixed in the next service pack, he said.
For those cases that seem serious enough to warrant an immediate fix, the team spends some time trying to see how deep the vulnerability goes. Next, the team comes up with a fix and tests it for compatibility with other patches and other Microsoft software. In some cases, it can take a good six months to explore all the ramifications of a vulnerability and get a comprehensive, compatible fix. When the team does release an update, it rates how critical it is and assigns a number that estimates how likely it is that attackers will start exploiting the flaw within 30 days of the patch’s release.
Of course, sometimes nothing goes according to plan. The team went through how it dealt with a flaw discovered in Internet Explorer last December. Microsoft was unaware of the vulnerability before information was posted on Chinese message boards, along with detailed instructions on how to exploit it. It quickly burst into use in the wild, and the team worked frantically to release a patch, enlisting help from outside security researchers to speed up the process. In that case, it took the team just eight days from the time that it discovered the flaw to the release of the patch.
Keep Reading
Most Popular
Geoffrey Hinton tells us why he’s now scared of the tech he helped build
“I have suddenly switched my views on whether these things are going to be more intelligent than us.”
ChatGPT is going to change education, not destroy it
The narrative around cheating students doesn’t tell the whole story. Meet the teachers who think generative AI could actually make learning better.
Meet the people who use Notion to plan their whole lives
The workplace tool’s appeal extends far beyond organizing work projects. Many users find it’s just as useful for managing their free time.
Learning to code isn’t enough
Historically, learn-to-code efforts have provided opportunities for the few, but new efforts are aiming to be inclusive.
Stay connected
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.