Insight Into Building a Microsoft Security Update

Have you ever wondered about the evolution of Microsoft security updates? Well, here is your chance to get an inside perspective on the process of building Microsoft Security Bulletin MS07-017, designed to address the critical vulnerability impacting Windows Animated Cursor Handling. Microsoft managed to make the update available in just five days since the first attack notification. This performance was applauded by Mike Reavey security program manager with MSRC, although the Redmond Company had been informed of the actual vulnerability since December 20, 2007.

With every reported flaw, Microsoft evaluates the impact severity and then moves on to triaging the flaw. "Based on the severity of the initial report, we began driving for release right after we were able to verify the vulnerability reproduced. The level of priority that we assign to a vulnerability is based on the severity of the vulnerability and the risk to customers. The level of urgency and our willingness to "shortcut" steps in the process, such as quality testing, to release on a faster timeline is based on the actual risk to customers at that time," Reavey explained.

Triaging is the first stage of the Microsoft process for building security updates. In this phase, the Redmond Company investigates the issue specifically reported but also adjacent problems. Microsoft will group all issues affecting the same components and release multiple updates in a single Security Buletin.

In the case of the .ANI file format handling vulnerability, "our investigation through January and February showed that there was a dependency between one of the files required to address a related vulnerability in a system driver that runs in kernel mode (win32k.sys) CVE-2006-5758 and the file that needed to be updated to resolve Windows Animated Cursor Handling vulnerability CVE-2007-0038 (user32.dll)," Reavey added.

This has resulted in Microsoft patching a total of 7 vulnerabilities with Bulleting MS07-017. Following the triaging, Microsoft moves to the actual creation and testing of the patch. The update for the .ANI vulnerability was built and tested throughout February and March.