Skip to main content

Security Update Lifecycle

The Microsoft Security Response Center (MSRC) monitors and manages security vulnerability reports from customers and is connected with a worldwide network of security researchers and partners that closely monitors security news lists and public forums.

Creating a Security Update

The MSRC Engineering team of security researchers conducts detailed technical investigations of Microsoft software security issues and works to develop solutions to resolve the issues for customers. The team also acts as the engineering technical leader for the Software Security Incident Response Process (SSIRP).

When a security update is being created, the MSRC works with the appropriate product team to ensure that the update is produced quickly and meets the MSRC quality bar. The MSRC also investigates ways that IT professionals and other customers can help protect themselves while Microsoft is evaluating the update. The MSRC Engineering team investigates the surrounding code and design and searches for other variants of the threat that could affect customers.

Testing Security Updates Internally

MSRC updates must meet strict quality standards that are designed to help ensure that an update will not interfere with software operation. All updates undergo extensive testing that can involve numerous product versions and service packs in many languages, as well as application compatibility testing for thousands of the world’s most popular third-party software products.

Testing of an update may involve hundreds of people working for several weeks. Teams test affected code as well as dependent and related areas of code for things such as application compatibility, setup and installation, and other possible usage scenarios, as well as the actual component that the update addresses. Broader sets of tests include deployment, detection, and partner testing, in which other teams and product groups at Microsoft test the update against their software.

Testing the Security Updates Externally

Before updates are made available to the public, Microsoft provides them to a limited group of customers who can test them in a broad range of configurations and environments. This practice, called the Security Update Validation Program, helps ensure the quality of security updates by testing them in environments, in configurations, and against applications that Microsoft cannot easily duplicate. Participants help identify potential compatibility problems before the MSRC releases the updates to the public. The program has reduced compatibility issues and has significantly enhanced the quality of security updates so that customers can deploy updates more quickly.

Releasing Security Updates, Bulletins, and Advisories

After a security update has been thoroughly tested, it is made available to the public. Microsoft provides support for business and developer products for 10 years after product release, and for consumer, hardware, and multimedia products for five years after product release. Implied in this support commitment is Microsoft’s assurance that security updates work with products that are supported at the time the security update is released. Full details of the Microsoft product lifecycle can be found on the Microsoft Support Lifecycle page.

Security updates are accompanied by a security bulletin, which is released in more than 10 languages. This supporting documentation includes frequently asked questions, information about possible workarounds and mitigations, and any other essential information that IT staff might need to resolve the vulnerability. The bulletin and other communications help customers assess risks and respond more effectively.

Microsoft releases security bulletins on the second Tuesday (US Pacific Standard Time) of every month. The monthly release cycle provides a number of benefits:

  • A predictable schedule that helps customers plan for deployment of security updates.
  • Fewer updates, with issues and updates combined when possible.
  • Improved overall quality of security bulletins. Coupled with the predictable release schedule, this enables customers to use a more refined production and testing process.

Microsoft Security Advisories are another way Microsoft communicates security information to customers. Advisories call attention to issues that might not be classified as vulnerabilities and might not require security bulletins, but that can still affect customer security.

Featured Download

Get inside information on how we manage vulnerabilities to help protect our customers.

MSRC Blogs

BlueHat Archive

See past BlueHat Sessions

BlueHat v12

BlueHat v11

BlueHat v10

BlueHat v9

BlueHat v8