Skip to Content

Inside Microsoft’s Security Updates

A team from the Microsoft Security Response Center explains how vulnerability reports become security updates.
March 11, 2009

Ever wondered how Microsoft sorts through nearly 200,000 e-mailed reports of security vulnerabilities each year to produce between 70 and 80 annual security updates? Today at the computer-security conference SOURCE Boston, a team from the Microsoft Security Response Center explained how it does it. The updates, incidentally, are usually released over the course of the year on “patch Tuesday,” the second Tuesday of each month.

Team member David Midturi said that the vulnerabilities e-mailed in to secure@microsoft.com run the gamut in terms of credibility. Some researchers send in detailed papers describing an issue, including executable code demonstrating it in action. Other people send in vague or crackpot reports. Midturi showed one e-mail excerpt claiming that the door sound made by MSN Messenger indicated a serious security vulnerability of some kind. The Microsoft team reads and responds to all legitimate e-mails, usually within one business day.

About 1,000 reports are investigated further by the team, which tries to figure out how likely it is that an attacker will discover and exploit the vulnerability. “The bar for security releases is pretty high,” Midturi said, adding that the team tries to avoid barraging Microsoft customers with endless updates. Many of the software vulnerabilities that aren’t judged to be so serious go on to be fixed in the next service pack, he said.

For those cases that seem serious enough to warrant an immediate fix, the team spends some time trying to see how deep the vulnerability goes. Next, the team comes up with a fix and tests it for compatibility with other patches and other Microsoft software. In some cases, it can take a good six months to explore all the ramifications of a vulnerability and get a comprehensive, compatible fix. When the team does release an update, it rates how critical it is and assigns a number that estimates how likely it is that attackers will start exploiting the flaw within 30 days of the patch’s release.

Of course, sometimes nothing goes according to plan. The team went through how it dealt with a flaw discovered in Internet Explorer last December. Microsoft was unaware of the vulnerability before information was posted on Chinese message boards, along with detailed instructions on how to exploit it. It quickly burst into use in the wild, and the team worked frantically to release a patch, enlisting help from outside security researchers to speed up the process. In that case, it took the team just eight days from the time that it discovered the flaw to the release of the patch.

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

This baby with a head camera helped teach an AI how kids learn language

A neural network trained on the experiences of a single young child managed to learn one of the core components of language: how to match words to the objects they represent.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.