The MSRC: "Update Tuesday" Week Prior to RSA

Day 2 at RSA has reminded us that we certainly are arriving in San Francisco after a big week in Redmond.  Our team, which manages vulnerabilities and releases security updates AND manages security incidents, had an opportunity to exercise all of our expertise last week with the release of 12 security bulletins (8 that were critical).  The preparation and management of the 12 bulletins was an enormous task – managing the development and testing was a huge engineering feat – dealing with many, many different product group development teams and managing the security updates through a centralized testing and release process.  In addition, the communications planning and execution was the largest we had ever encountered.  By one measure, the 12 security bulletins resulted in 70,000 words of text in the form of guidance and Knowledge Base information, which had to be translated into 23 languages worldwide – all before our release deadline of 10 am PT on Tuesday, February 8th. It really makes for a long week leading up to the release.

In addition, the communications team had the daunting task of ensuring that our worldwide field of nearly 30,000 people was informed and prepared to respond to customers at every level of the company regarding the details of each and every security bulletin.  And even more importantly, we had to make sure every customer and partner channel was well-briefed on the details of the updates, so customers could evaluate and deploy as soon as possible.  One way we did that is with a 2-plus hour worldwide webcast, supported by nearly 3 dozen subject matter experts from every affected product team to answer direct questions from customers.

Post-release, the MSRC was tested further last week with the release of public proof-of-concept code for two of the security updates.  In one case, the proof-of-concept code was refined into exploit code for the LibPNG vulnerability in MSN Messenger.

We immediately went into our mobilization mode to understand the potential threat to customers and whether extraordinary steps were necessary to warn and protect customers from a potential exploit.  That means we literally go into the "War Room" and centrally bring together every stakeholder and expert in the company to understand the nature of the potential threat and all of the possible actions to prevent customer exploitation.  We bring someone from the product groups, the engineering team, the PSS team and my communications team all together around one table to hash out the situation. In this case, we immediately published information about this threat and customer guidance to http://www.microsoft.com/security/incident/im_info.mspx.  We have built into our incident response processes a way to publish customer guidance within the first 30 minutes of an issue being identified.  In this case, we did determine that the exploit code was potentially hazardous to customers and we did take steps to expedite a forced upgrade to all MSN Messenger customers.  I’m pleased to say that all 150 million MSN Messenger users worldwide are now updated and no longer subject to exploitation from this vulnerability. It was a big decision to make the upgrade mandatory in such a short period of time, but we collectively decided that the small inconvenience of having customers upgrade was the right thing to do to help protect them..

It is a testament to the deep commitment of every group at Microsoft that the MSRC is able to work so effectively and quickly in managing vulnerabilities and security threats.  Every affected product group rallied and supported our efforts to deliver the most recent security updates last week and every executive stands by our determination to keep customers up-to-date with the most current and transparent guidance – even while forcing an upgrade of an entire product.

Looking forward to Day 3!

Debby Fry Wilson

 

*This posting is provided "AS IS" with no warranties, and confers no rights.