Mike Nash on the Security Update for the WMF Vulnerability

Hi there.  Mike Nash from Microsoft here.  For those of you who don’t know me, I am the Corporate Vice President responsible for security at Microsoft.  Given the recent events around the Windows Meta File format vulnerability, an ongoing dialogue I have had with some customers and our recent decision to release an update for Windows out of band to correct this vulnerability, I thought I would take a minute to give you a sense of the thought process behind Microsoft’s decision.


As you know, we first heard about this vulnerability and the beginnings of the exploit last Tuesday, December 27. At that point, we immediately started investigating the reports, identified the problem and started working on a security update.   At the same time, we started monitoring activities around the exploit to understand the rate of infection and the growing threat level. 


There are three things we know for sure: 

  1. Customers hate it when we ship updates to our software in general.  Ideally we address these kinds of issues before we ship our products.  That is what the Trustworthy Computing initiative and the Security Development Lifecycle (SDL) are all about.
  2. If there is one thing we have done right in the last 2 years, it’s our move to monthly updates.   Having a predictable schedule makes it easier for customers to plan and when you can plan, it puts less stress on the customers’ infrastructure and their people and the results are better. 
  3. The only thing worse than having to deploy an update is having to deploy that same update twice because of a quality problem with the update.   As a result, we have made some extensive revisions to the way we test our updates.  Our basic philosophy is that the current version of any of our products is the latest version we shipped PLUS the latest service pack PLUS the set of updates we have shipped since the last service pack. That product needs to be tested.  Can we test updates as extensively as the original product or service pack? Probably not given the need to be responsive, but if we are thoughtful we can focus our testing on the code paths and scenarios that matter the most and get great results.


So back to the WMF issue, actually creating the update was a straight forward process.  The challenge was testing the update on all of the supported versions of Windows and the 23 languages we support and making sure that the set of applications that might be effected by this update are not negatively affected by this change.


On Tuesday morning, we announced that our goal was to have an update available as part of our regular update cycle on January 10th. That date was based on our forecast on where we would be with quality.


So what changed to make us decide to release an update today? Two things:  The first is that we have an update that we believe in. The team worked very hard to run all of the key scenarios that we are concerned about. While we would always like to have more time, we are confident in the quality of the update.  The second issue is that while there is no imminent threat, a number of customers are seeing exploit traffic hitting their AV, IDS and IPS systems.   Interestingly, when you talk to the security vendors they are seeing the rate of infection and the rate of spread actually decrease.  But, when I spoke to a number of customers and asked if the current situation warranted an out of band release of the update, they said yes, if we had hit our quality goals.  I reminded them of their past feedback about out of band updates being an inconvenience and their preference for the monthly release schedule.   Overall, they felt that we had made these out of band releases so infrequent, that doing it once when it matters was not a big deal.


So the thing that I know you are all wondering is what should I do?  So here is my advice.  If you are a consumer or a small business, you should use either Windows Update (or ideally Microsoft Update) to automatically install the update.  If you are running Windows XP SP2, you are likely already at least using Windows Update or Automatic Update.  If you are an enterprise customer, you should deploy the update as soon as is feasible.  Put it through your testing process and get it deployed.   With the update available today, you certainly have the choice of deploying now or waiting until your normal release process.  If it were my decision, I would move up the schedule.  That is what we are doing in our IT operation here at Microsoft.


More information is available here: http://www.microsoft.com/technet/security/bulletin/advance.mspx 


-Mike Nash


*This posting is provided “AS IS” with no warranties, and confers no rights.*