How Microsoft Fixes Security Vulnerabilities: Everything You Ever Wanted To Know About The Msrc Security Update Engineering Process

No ratings

Presented at SOURCE Boston 2009 by

Mark Wodrich

David Midturi

Jonathan Ness

Take a look behind the scenes at the Microsoft Security Response Center, the group that ships Microsoft's security updates. Learn what happens for an eight-day out-of-band release in response to a 0day vulnerability (MS08-067). Learn also what goes into Microsoft's standard thorough investigation and testing process for updates released on the regular schedule. Come hear from the security engineers who triage incoming vulnerability reports, build fuzzers to find related issues, review code fixes, write security bulletins, develop mitigations and workarounds, document the vulnerability so MAPP (Microsoft Active Protections Program) partners can understand and build protections for it, and finally push out the update to hundreds of millions of computers every month. This talk will describe the steps that go into the resulting update.exe that shows up on your computer the second Tuesday of each month. And you'll hear it straight from front-line security engineers who have been doing this since 2003.