Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

A View from Erica Naone

Inside Microsoft's Security Updates

A team from the Microsoft Security Response Center explains how vulnerability reports become security updates.

  • March 11, 2009

Ever wondered how Microsoft sorts through nearly 200,000 e-mailed reports of security vulnerabilities each year to produce between 70 and 80 annual security updates? Today at the computer-security conference SOURCE Boston, a team from the Microsoft Security Response Center explained how it does it. The updates, incidentally, are usually released over the course of the year on “patch Tuesday,” the second Tuesday of each month.

Team member David Midturi said that the vulnerabilities e-mailed in to secure@microsoft.com run the gamut in terms of credibility. Some researchers send in detailed papers describing an issue, including executable code demonstrating it in action. Other people send in vague or crackpot reports. Midturi showed one e-mail excerpt claiming that the door sound made by MSN Messenger indicated a serious security vulnerability of some kind. The Microsoft team reads and responds to all legitimate e-mails, usually within one business day.

About 1,000 reports are investigated further by the team, which tries to figure out how likely it is that an attacker will discover and exploit the vulnerability. “The bar for security releases is pretty high,” Midturi said, adding that the team tries to avoid barraging Microsoft customers with endless updates. Many of the software vulnerabilities that aren’t judged to be so serious go on to be fixed in the next service pack, he said.

For those cases that seem serious enough to warrant an immediate fix, the team spends some time trying to see how deep the vulnerability goes. Next, the team comes up with a fix and tests it for compatibility with other patches and other Microsoft software. In some cases, it can take a good six months to explore all the ramifications of a vulnerability and get a comprehensive, compatible fix. When the team does release an update, it rates how critical it is and assigns a number that estimates how likely it is that attackers will start exploiting the flaw within 30 days of the patch’s release.

Of course, sometimes nothing goes according to plan. The team went through how it dealt with a flaw discovered in Internet Explorer last December. Microsoft was unaware of the vulnerability before information was posted on Chinese message boards, along with detailed instructions on how to exploit it. It quickly burst into use in the wild, and the team worked frantically to release a patch, enlisting help from outside security researchers to speed up the process. In that case, it took the team just eight days from the time that it discovered the flaw to the release of the patch.

Cut off? Read unlimited articles today.

Become an Insider
Already an Insider? Log in.
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Basic.
  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Print Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.