Welcome to the Microsoft Security Response Center Blog! : Mike Nash on the Security Update for WMF Vulnerability

Mike Nash on the Security Update for WMF Vulnerability

Hi there.  Mike Nash from Microsoft here.  For those of you who don’t know me, I am the Corporate Vice President responsible for security at Microsoft.  Given the recent events around the Windows Meta File format vulnerability, an ongoing dialogue I have had with some customers and our recent decision to release an update for Windows out of band to correct this vulnerability, I thought I would take a minute to give you a sense of the thought process behind Microsoft’s decision.

 

As you know, we first heard about this vulnerability and the beginnings of the exploit last Tuesday, December 27. At that point, we immediately started investigating the reports, identified the problem and started working on a security update.   At the same time, we started monitoring activities around the exploit to understand the rate of infection and the growing threat level. 

 

There are three things we know for sure: 

  1. Customers hate it when we ship updates to our software in general.  Ideally we address these kinds of issues before we ship our products.  That is what the Trustworthy Computing initiative and the Security Development Lifecycle (SDL) are all about.
  2. If there is one thing we have done right in the last 2 years, it’s our move to monthly updates.   Having a predictable schedule makes it easier for customers to plan and when you can plan, it puts less stress on the customers’ infrastructure and their people and the results are better. 
  3. The only thing worse than having to deploy an update is having to deploy that same update twice because of a quality problem with the update.   As a result, we have made some extensive revisions to the way we test our updates.  Our basic philosophy is that the current version of any of our products is the latest version we shipped PLUS the latest service pack PLUS the set of updates we have shipped since the last service pack. That product needs to be tested.  Can we test updates as extensively as the original product or service pack? Probably not given the need to be responsive, but if we are thoughtful we can focus our testing on the code paths and scenarios that matter the most and get great results.

 Read the rest here

No Comments 14:20 - Jan 05, 2006



Trackbacks

No Trackbacks

Comments

No Comments