Microsoft Earns Merit Patches for Security
But is Redmond’s medicine the right pill for dealing with new exploits?
May 1, 2007 —
(Page 1 of 4)
Microsoft has taken a lot of hits for perceived lack of security in its software. In response, Bill Gates gave the company’s security experts carte blanche to change that perception by improving the security of its products. Over time, this resulted in the remediation process that its Security Response team follows today. But is that process effective enough to protect customers?
When either the security community or its own internal experts discover a potential problem, the team takes the lead and starts a process that begins with triaging the issue and then coordinates the security response activities that follow.
The team’s first priority is scoping the exploit. After an issue is discovered, it passes through triage, and product-specific security experts are designated to investigate the scope and impact of the threat on an affected product, before the Secure Windows Initiative team evaluates the overall impact it may have on other Microsoft products, said Mark Miller, director of the Microsoft Security Response Center (MSRC).
Mike Reavey, operations manager of MSRC, expounded on this process in a April 3 Security Response Center Blog posting discussing a flaw in the way that Windows handles animated cursors and what Microsoft has done about it.
Reavey wrote in his blog that the team “drives for release” after it determines the vulnerability can be reproduced. The remediation is prioritized based upon severity, said Miller, analogous to the way hospital emergency rooms prioritize their critically ill patients. But exploits, like illnesses, can be evasive: The exact number of the afflicted is not always known up front.
From the start of the process, all possible surrounding issues are investigated. The triaging emphasizes the discovery of as many related issues as is possible. Often, this means that related vulnerabilities must be resolved to completely solve the problem, due to dependencies between Windows and other Microsoft products, Reavey wrote in his blog.
For example, MS07-017, the remedy for the animated cursor exploit, fixed not one but seven vulnerabilities. Reavey explained, in his blog, that Microsoft’s customers want security updates to be as comprehensive as possible. “Customers do not want to have to apply multiple updates to address issues in the same components.”
Share this link: http://sdt.bz/30553
Most Read Latest News Blog Resources
Appcelerator Acquires Cocoafish to Add Instant Mobile Cloud Capabilities to its Industry Leading Titanium Platform
Appcelerator Offers Messaging, Social, Location and Storage Mobile Cloud Services to All Mobile App Publishers
|
|
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
ComponentOne Releases a Collection of 40+ UI Widgets Powered by HTML5 and jQuery
ComponentOne has announced the 2012 release of Wijmo: a kit of UI widgets for HTML5 and jQuery development
|
|
Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists
|
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists
|
|
Not so fast when it comes to testing in the cloud
Developers face outsourcing, virtual lab management and mobile devices as obstacles
|
|
Xceed releases UX-focused suite for Microsoft’s WPF
"Blendables" helps match user experiences to developer visions
|
Are you at risk for burnout?
Burnout is a severe problem and it can strike at any time. Here's how to tell if you are nearing the edge.
|
|
Agility, mom, and apple pie
If we're to evaluate the state-of-the-art in software development, we should start with the values espoused in the Agile Manifesto.
|
|
RIM woos developers with free tablet
How do you get more apps ported to the BlackBerry PlayBook? By giving every developer a free tablet, of course!
|
|
GitHire: Use Headhunters to Find Your Perfect Programmer
Are you a hiring manager tired of scouring the job boards? Check out this new service that will find 5 people interested in your jobs.
|
The Hidden Costs of Software Licensing
Moving beyond paper-based software licensing to more flexible, software-based licensing is a business decision. There is a growing trend tow...
|
|
Case Study: You May Need a Development Mechanic
As a contractor for a major financial player in Germany, SOBEGE, a German-based consultancy specializing in embedded IT and web services, wa...
|
|
Ensuring Software Quality at a Major International Bank
One of the world’s leading international banks has adopted AgitarOne technology for delivering generated unit tests for their Java software...
|
|
Load Testing Adobe Flex Applications
Adobe Flex applications may be different from applications you’ve worked with before. For classic HTML web applications, the server does all...
|