For the second in this series of blog entries we want to look into which vulnerability reports make it into the monthly release cadence.
It may help to start with some history. In September 2003 we made a change from a release anytime approach to a mostly predictable, monthly release cadence. October 2003 ushered in what became known as Update Tuesday. How and when Microsoft releases new products and services in market products has changed over the years, but the monthly delivery of security content has remained steady.
So how do we decide what goes into a monthly security release? That decision largely rides on required customer action and risk. Required customer action is realized through products where customers need to take action to protect themselves against a vulnerability. For consumers, protection is accomplished through automatic updates. Not all of Microsoft’s offerings require customer action and are accordingly not part of the monthly cadence. In the next blog entry we will talk about online services cases which are the main class of reports not addressed on Update Tuesday. To assess risk, we utilize our security bug bar as established by the Security Development Lifecycle (SDL). Every vulnerability report is triaged against that bar and assigned a severity – critical, important, moderate, low, or defense in depth. We prioritize critical and important class vulnerabilities to be addressed in our monthly update cycle.
Lower severity vulnerabilities are typically considered for next version (v.Next) releases. Those may or may not be backported to platforms currently in support depending on their impact. On occasion lower severity vulnerabilities will be addressed in a monthly update, but those are more opportunistic updates where additional fixes for higher severity vulnerabilities were already releasing that month. For more information on what is in support and our support lifecycle, please visit https://microsoft.com/lifecycle. Later in this blog series we will discuss the v.Next process, how that has evolved over the years of our release cadence, and what researchers can expect from reports that fall into these classes.
The combination of all of these processes are what customers experience as our Update Tuesday cadence. The releases represent the highest risk vulnerabilities. We document the fixes with the risk information so customers can better make informed decisions for their environments. More information on how we create security updates can be found here: https://technet.microsoft.com/en-us/security/dn436305. For security researchers, these releases show their research and collaboration with Microsoft to better protect customers together.
In our next blog entry, we will explore vulnerability reports and resolution in our online services space.
Principal Security Group Manager
Microsoft Security Response Center