Skip to main content

Security Update Lifecycle

The Microsoft Security Response Center (MSRC) monitors and manages security vulnerability reports from customers and is connected with a worldwide network of security researchers and partners that closely monitors security news lists and public forums.

Creating a Security Update

The MSRC Engineering team of security researchers conducts detailed technical investigations of Microsoft software security issues and works to develop solutions to resolve the issues for customers. The team also acts as the engineering technical leader for the Software Security Incident Response Process (SSIRP).

When a security update is being created, the MSRC works with the appropriate product team to ensure that the update is produced quickly and meets the MSRC quality bar. The MSRC also investigates ways that IT professionals and other customers can help protect themselves while Microsoft is evaluating the update. The MSRC Engineering team investigates the surrounding code and design and searches for other variants of the threat that could affect customers.

Testing Security Updates Internally

MSRC updates must meet strict quality standards that are designed to help ensure that an update will not interfere with software operation. All updates undergo extensive testing that can involve numerous product versions and service packs in many languages, as well as application compatibility testing for thousands of the world’s most popular third-party software products.

Testing of an update may involve hundreds of people working for several weeks. Teams test affected code as well as dependent and related areas of code for things such as application compatibility, setup and installation, and other possible usage scenarios, as well as the actual component that the update addresses. Broader sets of tests include deployment, detection, and partner testing, in which other teams and product groups at Microsoft test the update against their software.

Testing the Security Updates Externally

Before updates are made available to the public, Microsoft provides them to a limited group of customers who can test them in a broad range of configurations and environments. This practice, called the Security Update Validation Program, helps ensure the quality of security updates by testing them in environments, in configurations, and against applications that Microsoft cannot easily duplicate. Participants help identify potential compatibility problems before the MSRC releases the updates to the public. The program has reduced compatibility issues and has significantly enhanced the quality of security updates so that customers can deploy updates more quickly.

Releasing Security Updates and Advisories

After a security update has been thoroughly tested, it is made available to the public. Microsoft provides support for business and developer products for 10 years after product release, and for consumer, hardware, and multimedia products for five years after product release. Implied in this support commitment is Microsoft’s assurance that security updates work with products that are supported at the time the security update is released. Full details of the Microsoft product lifecycle can be found on the Microsoft Support Lifecycle page.

Security updates are published through the Security Update Guide, available in 8 languages and through an API. This supporting documentation includes severity and impact information, information about possible workarounds and mitigations, and other essential information that IT staff might need to resolve the vulnerability. This information helps customers assess risks and respond more effectively. Microsoft releases security updates on the second Tuesday at 10AM (US Pacific Standard Time) of every month. The monthly release cycle provides a predictable schedule that helps customers plan for deployment of security updates.

Microsoft Security Advisories are another way Microsoft communicates security information to customers. Advisories call attention to issues that might not be classified as vulnerabilities and might not require security updates, but that can still affect customer security.