Microsoft takes a lot of heat in the press for security bugs, as it should: Windows has a huge installed base, and the effects of its vulnerabilities are global. Today, Microsoft is forthcoming about many security bugs, but the company hasn't always been so open. Until recently, Microsoft took days to acknowledge reproducible problems, often claiming that bugs were "design flaws."
Currently, Microsoft defines a security vulnerability as "a flaw in a product that makes it infeasibleâ€”even when using the product properlyâ€”to prevent an attacker from usurping privileges on the user's system, regulating its operation, compromising data on it, or assuming ungranted trust." Microsoft applies the definition to all bugs reported to or detected at the Microsoft Security Response Center (MSRC).
One way Microsoft learns about security vulnerabilities is through its firstname.lastname@example.org email address. Microsoft considers only 1 percent of all email messages sent to the secure address as serious enough to warrant an immediate fix. The MSRC has a formal process for every security concern that users report. The MSRC attempts to reproduce the problem, and the development team tries to understand the problem and the code involved. The Microsoft team determines whether the problem is best resolved with a workaround, a service pack, or a hotfix. If the solution requires a hotfix, the team tests the hotfix and packages it for deployment. Because the team has little time to test fixes, Microsoft sometimes has to re-release fixes. For more information about the MSRC process, go to http://www.microsoft.com/technet/treeview /default.asp?url=/technet/columns/security/essays/sectour.asp.