A quick entry on the VML issue.

Hi everyone, Scott Deacon here again. Wanted to update you on what we’ve seen to date with the VML issue.  Attacks remain limited.  There’s been some confusion about that, that somehow attacks are dramatic and widespread.  We’re just not seeing that from our data, and our Microsoft Security Response Alliance partners aren’t seeing that at all either.  Of course, that could change at any moment, and regardless of how many people are being attacked, we have been working non-stop on an update to help protect from this vulnerability. We’ve made some progress in our testing pass for the update and are now evaluating releasing this outside the monthly cycle, as we do any time customers are under threat and we believe we can issue an update that meets our quality bar for widespread deployment.  So right now we’re looking at where we hit that quality bar and if that occurs prior to the monthly cycle then we will release.

That last bit is important because we were made aware this morning of a third party “update” for this issue.  We think it’s great that there are people out there working to help protect our customers.  But as we’ve always said, we cannot endorse third party updates.  As a best practice, customers should obtain security updates and guidance from the original software vendor.  That’s because we carefully review and test security updates and workarounds to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. 

The MSRC cannot provide any similar assurance for third party security updates or mitigations. 

But like I said the good news here is that around 24-48 hours ago we began to see we have the possibility of going out of band here and we will keep you posted as we go.  The primary driver here is quality and protecting customers, not adherence to the monthly schedule.

[EDIT: Scott here, the above paragraph seems to be confusing some people.  During each engineering process, especially for an update regarding an issue that is being exploited, we evaluate where we are in the testing on a constant basis.  We’ve become more confident in the past couple of days in our ability to do an out of band release, that’s all.]


*This posting is provided “AS IS” with no warranties, and confers no rights.*