The Microsoft Security Response Center is part of the defender community and on the front line of security response for our customers and the company. Our mission is to protect customers and Microsoft from current and emerging threats related to security and privacy. We monitor threats and provide updated tools and guidance to help organizations defend against, identify, and remediate attacks.
Often-times we are asked, why can’t Microsoft release security updates faster? Why can’t you release a security update instantly after a zero-day vulnerability has been identified? Why do you rely on coordinated vulnerability disclosure? These are great questions.
Lifecycle of a security update
“Developing a security update is a delicate balance between quality and timeliness. We must consider minimizing customer disruptions and maximizing customer protections.” ~Aanchal Gupta, Corporate Vice President, Microsoft Security Response Center
Every vulnerability is different, and each presents its own set of unique challenges that need to be solved. There are many factors that affect the length of time between the discovery of an issue and the release of a security update to address it. We must consider real world impact on customers when an update is released. This means taking into consideration the variety of customer environments across our products and services and the number of supported platforms the vulnerability may exist in.
When we develop an update, we follow an extensive process.
Upon discovery of a vulnerability, we immediately begin our forensic investigation. This is where we look at what a researcher may have reported or disclosed and match it to our internal understanding of the code base.
After doing this, our next step is variant analysis. This means that we search for and investigate any variants of the vulnerability. It is common for researchers, attackers, and defenders to inspect the code and functionality around the vulnerability. While having disparate agendas, one shared goal is to understand if there is additional functionality (seen in inverse as risk) that can contribute to the vulnerability. Variant review brings higher confidence that the vulnerability and similar cases are fully addressed. Our security updates often contain variant fixes.
Concurrently, Microsoft inspects service impact across our broad portfolio. As release nears, Microsoft provides trusted security partners with detection guidance through our Microsoft Active Protections Program (MAPP). At the same time, we provide the updates to close external partners via the SUVP program for real-world testing. Once our engineering teams develop an update, it must go through rigorous testing to better assure that the fix does not cause some unintended side effects. The fix must meet necessary quality standards before it can be released. Only after an update has passed these quality checks can it be released as part of our scheduled Update Tuesday process or for out-of-band release (outside of our normal update release process). Meanwhile, we also prepare the CVE documentation to give customer guidance about the vulnerability, provide answers to frequently asked questions, any existing mitigations and workarounds, as well as links to the update and collateral release notes. This information is published in the Security Update Guide.
The above steps take time, but are critical for an effective response.
What is a “zero day” vulnerability?
To start, a zero-day vulnerability is a flaw in software for which no official patch or security update has been released. A software vendor may or may not be aware of the vulnerability. Zero-day vulnerabilities often have high severity levels and can be actively exploited.
Do all zero-day vulnerabilities result in attacks?
No. Zero-day attacks often utilize high severity, zero-day vulnerabilities, but it doesn’t mean that the disclosure of the vulnerability will result in attacks. Complexity of exploit, available install base, and reliability of exploit all factor into which zero-day vulnerabilities might be used by attackers to achieve their goals.
Coordinated Vulnerability Disclosure
First and foremost, to mitigate the risk of zero-day vulnerabilities and attacks we believe in coordinated vulnerability disclosure (CVD). This is a proven industry best practice to address security vulnerabilities. The aim of Coordinated Vulnerability Disclosure is to provide timely and consistent guidance to customers to help them protect themselves. The Microsoft Security Response Center collaborates and partners with security researchers and vendors to manage coordinated vulnerability disclosure submissions. Vulnerability collaboration is about limiting the attacker’s field of opportunity, so customers and their data are better protected against cyberattacks before an issue is public. When vulnerabilities, such as a 0-day vulnerability, are disclosed irresponsibly it puts customers at risk of compromise without the opportunity to detect and remediate the vulnerability in their environments. Our approach to coordinated vulnerability disclosure requests that researchers disclose newly discovered vulnerabilities in Microsoft’s hardware, software, and services directly to us. The researcher allows us the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability information to the public. Upon release of an update, Microsoft recognizes the researcher for their findings and for privately reporting the issue. If the vulnerability is within the scope of one of our bounty programs, the researcher may receive a bounty award according to the program descriptions and may be publicly acknowledged for their contributions when we fix the vulnerability.
If attacks are underway in the wild, and Microsoft is still working on an update, then both the researcher and Microsoft work together as closely as possible to provide early public vulnerability disclosure to protect customers. The aim is to provide timely and consistent guidance to customers to help them protect themselves.
Best practices for customers
We recommend that customers make sure their systems are as up-to-date and current as possible.
“Your tech infrastructure and security systems are like an ‘immune system’. Even if there is no update for a disclosed zero-day, keeping your systems current helps keep the entire system strong.” ~Aanchal Gupta, Corporate Vice President, Microsoft Security Response Center
Attackers take advantage of any weaknesses in an intended victim’s environment. Zero-day vulnerabilities make up a small percentage of those weaknesses exploited. Recently addressed vulnerabilities and sometimes much older vulnerabilities are routinely used to attack customers. Sometimes an attacker needs to chain together vulnerabilities to achieve a successful compromise. Chained attacks can include both zero-day vulnerabilities and addressed vulnerabilities. If a malicious actor has identified a target victim, and that victim is behind in their updates, the threat actor may be able to exploit the vulnerability. Whereas a victim with an updated system would have mitigated the vulnerability before the attacker could act on the malicious technique.
We schedule the release of security updates on “Update Tuesday,” the second Tuesday of each month at 10:00 AM PST (Pacific Standard Time). We recommend that IT pros plan their deployment schedules accordingly and that users install the latest updates. This planned cadence helps IT administrators plan and efficiently roll out updates into their environments. As part of the release, Microsoft releases supporting documentation in the Microsoft Security Update Guide. This includes assigned severity, an industry standard CVSS score, and an exploitability index to help customers make risk-based decisions on the timely deployment of the security updates. When available, mitigation steps or workarounds that customers can utilize while they test and deploy the updates are listed.
For Microsoft 365 Defender, customers can navigate in the Defender portal to the Threat and Vulnerability Management feature found under the security recommendations page. This feature shows customers the vulnerable devices in their environments and surfaces content that is also exposed in the Microsoft Security Update Guide. Often when zero-day attacks are occurring, customers can also review Threat Analytics articles to provide additional context on the known attacks and the impact in their environment.
Sometimes, a threat actor needs to identify a target victim and convince that victim to open a malicious file or click on a malicious link exposing their credentials before the vulnerability can be exploited. Following safe practices while online will help limit the chances a zero day will affect you. It may be obvious to some, but remember, only download apps, games, and software from major stores and stick to those that are well-reviewed to reduce the risk of being tricked into downloading malware. Only accept content from someone that you trust. If you receive an attachment or a link that you did not expect or the content is out of the norm from the sender, do not take the risk and confirm with the sender before engaging with the content.