Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Hi there. Mike Nash from Microsoft here. For those of you who don’t know me, I am the Corporate Vice President responsible for security at Microsoft. Given the recent events around the Windows Meta File format vulnerability, an ongoing dialogue I have had with some customers and our recent decision to release an update for Windows out of band to correct this vulnerability, I thought I would take a minute to give you a sense of the thought process behind Microsoft’s decision.
As you know, we first heard about this vulnerability and the beginnings of the exploit last Tuesday, December 27. At that point, we immediately started investigating the reports, identified the problem and started working on a security update. At the same time, we started monitoring activities around the exploit to understand the rate of infection and the growing threat level.
There are three things we know for sure:
So back to the WMF issue, actually creating the update was a straight forward process. The challenge was testing the update on all of the supported versions of Windows and the 23 languages we support and making sure that the set of applications that might be effected by this update are not negatively affected by this change.
On Tuesday morning, we announced that our goal was to have an update available as part of our regular update cycle on January 10th. That date was based on our forecast on where we would be with quality.
So what changed to make us decide to release an update today? Two things: The first is that we have an update that we believe in. The team worked very hard to run all of the key scenarios that we are concerned about. While we would always like to have more time, we are confident in the quality of the update. The second issue is that while there is no imminent threat, a number of customers are seeing exploit traffic hitting their AV, IDS and IPS systems. Interestingly, when you talk to the security vendors they are seeing the rate of infection and the rate of spread actually decrease. But, when I spoke to a number of customers and asked if the current situation warranted an out of band release of the update, they said yes, if we had hit our quality goals. I reminded them of their past feedback about out of band updates being an inconvenience and their preference for the monthly release schedule. Overall, they felt that we had made these out of band releases so infrequent, that doing it once when it matters was not a big deal.
So the thing that I know you are all wondering is what should I do? So here is my advice. If you are a consumer or a small business, you should use either Windows Update (or ideally Microsoft Update) to automatically install the update. If you are running Windows XP SP2, you are likely already at least using Windows Update or Automatic Update. If you are an enterprise customer, you should deploy the update as soon as is feasible. Put it through your testing process and get it deployed. With the update available today, you certainly have the choice of deploying now or waiting until your normal release process. If it were my decision, I would move up the schedule. That is what we are doing in our IT operation here at Microsoft.
More information is available here: http://www.microsoft.com/technet/security/bulletin/advance.mspx.
*This posting is provided "AS IS" with no warranties, and confers no rights.*