Job Doesnt End on
Patch Day"> Once the tests are completed, the process shifts to actually creating content for the bulletins, which are scheduled for release on the second Tuesday of every month. During this phase, the MSRC again coordinates closely with the product teams to make sure that theres a perfect balance between providing accurate guidance without offering enough information for malicious hackers to reverse-engineer the patch. "We have one author for each bulletin. Then, once its done, the entire team works on it to put in the correct mitigation guidance and available workarounds," he said.Around 9:00 a.m. PDT on Patch Day, the bulletins are uploaded to Microsofts security Web site and the accompanying e-mail alerts are sent out; but the job doesnt end there, Toulouse said. Once the patches are shipped, the MSRC goes into "watch mode" to monitor the way researchers release their own alerts. In most cases, those alerts are accompanied by proof-of-concept code, a practice that researchers favor but Microsoft frowns on. Private researchers say proof-of-concepts are valuable for testing patch quality, but Microsoft believes the information can put customers at risk because malicious hackers are skilled enough to use the published code to create actual exploits to target unpatched systems. If exploit code starts to circulate, the MSRC shifts into "activation mode" to determine if follow-up action is necessary to thwart a worm outbreak. In one case earlier this year, Microsoft activated its incident response mechanism and made an overnight decision to make an MSN Messenger patch a mandatory upgrade after the research firm that initially reported the flaw published code that could be used in a widespread attack. "Several dozen times over the past year, weve activated the security incident response system to deal with an issue. You may not know about it because it didnt escalate into a major incident, but were quietly doing a lot of things to protect customers," he said. Toulouse described patch creation and bulletin release as a "very complex and interesting process" that "starts long before you see the end result and never ends because we have to keep monitoring and updating the bulletins when new information becomes available." Check out eWEEK.coms for Microsoft and Windows news, views and analysis.
Three working days before the scheduled bulletin release, an advance notice is published with brief details of products affected and the severity rating.