Ever wondered how Microsoft sorts through nearly 200,000 e-mailed reports of security vulnerabilities each year to produce between 70 and 80 annual security updates? Today at the computer-security conference SOURCE Boston, a team from the Microsoft Security Response Center explained how it does it. The updates, incidentally, are usually released over the course of the year on “patch Tuesday,” the second Tuesday of each month.
Team member David Midturi said that the vulnerabilities e-mailed in to firstname.lastname@example.org run the gamut in terms of credibility. Some researchers send in detailed papers describing an issue, including executable code demonstrating it in action. Other people send in vague or crackpot reports. Midturi showed one e-mail excerpt claiming that the door sound made by MSN Messenger indicated a serious security vulnerability of some kind. The Microsoft team reads and responds to all legitimate e-mails, usually within one business day.
About 1,000 reports are investigated further by the team, which tries to figure out how likely it is that an attacker will discover and exploit the vulnerability. “The bar for security releases is pretty high,” Midturi said, adding that the team tries to avoid barraging Microsoft customers with endless updates. Many of the software vulnerabilities that aren’t judged to be so serious go on to be fixed in the next service pack, he said.
For those cases that seem serious enough to warrant an immediate fix, the team spends some time trying to see how deep the vulnerability goes. Next, the team comes up with a fix and tests it for compatibility with other patches and other Microsoft software. In some cases, it can take a good six months to explore all the ramifications of a vulnerability and get a comprehensive, compatible fix. When the team does release an update, it rates how critical it is and assigns a number that estimates how likely it is that attackers will start exploiting the flaw within 30 days of the patch’s release.
Of course, sometimes nothing goes according to plan. The team went through how it dealt with a flaw discovered in Internet Explorer last December. Microsoft was unaware of the vulnerability before information was posted on Chinese message boards, along with detailed instructions on how to exploit it. It quickly burst into use in the wild, and the team worked frantically to release a patch, enlisting help from outside security researchers to speed up the process. In that case, it took the team just eight days from the time that it discovered the flaw to the release of the patch.
A Roomba recorded a woman on the toilet. How did screenshots end up on Facebook?
Robot vacuum companies say your images are safe, but a sprawling global supply chain for data from our devices creates risk.
A startup says it’s begun releasing particles into the atmosphere, in an effort to tweak the climate
Make Sunsets is already attempting to earn revenue for geoengineering, a move likely to provoke widespread criticism.
10 Breakthrough Technologies 2023
These exclusive satellite images show that Saudi Arabia’s sci-fi megacity is well underway
Weirdly, any recent work on The Line doesn’t show up on Google Maps. But we got the images anyway.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.