When the Microsoft Security Response Center (MSRC) decides to address a vulnerability with an update, MSRC begins to develop a security bulletin and other communications to broadcast the issue to customers.
Meanwhile, the affected product team works to create and test a software update to address the vulnerability.
Creating a Security Update
If the severity of a vulnerability warrants an update, the MSRC works with the appropriate product team to ensure the update is produced quickly and meets the MSRC quality bar.
MSRC also investigates additional ways that IT professionals and other customers can help protect themselves while they are evaluating the update. The MSRC engineering team investigates the surrounding code and design and searches for other variants of that threat that could affect customers.
Testing Security Updates Internally
MSRC will not release an update until it meets strict quality standards designed to ensure that the update will not interfere with software operation. As part of this commitment to security update quality, MSRC applies several levels of testing.
More than 100 people might be required to work for many weeks to test a substantial update. Each team performs a test pass, sometimes referred to as "depth testing," which covers affected code as well as any dependent or related areas of code.
Depth testing includes:
- Application compatibility testing
- Testing of the actual component that the update addresses
- Setup and install testing
- Other usage scenarios that might occur
The teams also review test cases they draw from other areas of code, and if necessary create new test cases to ensure the quality of a release. The teams then perform broader sets of tests that include deployment, detection, and partner testing, in which other teams and product groups at Microsoft test the update against their software.
Testing the Security Updates Externally
Before updates are made generally available, Microsoft provides security updates to a limited group of customers who can test them in a broad range of configurations and environments.
This practice, called the Security Update Validation Program, helps ensure the quality of security updates by testing these security updates in environments, in configurations, and against applications that Microsoft cannot easily duplicate. Participants provide feedback based on their deployment experience to help identify potential compatibility problems before the MSRC releases the updates to the public.
The program has reduced compatibility issues and has helped enhance the quality of security updates significantly, making it easier for customers to deploy updates more quickly.
Security Bulletins and Other Communications
 | Advance Notification To help customers plan for the monthly security bulletin release, Microsoft provides bulletin subscribers with advance information about security updates prior to their release through the Advance Notification Program. When possible Microsoft makes this notice available three business days before a security bulletin is released. |
 | Monthly Security Bulletin Summary The monthly security bulletin summary gives high-level details of the bulletins being released. Each security bulletin summary includes the following: - An executive summary table listing the individual bulletins and their severity
- Microsoft Exploitability Index assessments for each bulletin to assist in prioritizing deployment
- Details of all affected software and links to the individual security bulletins
- Detection and deployment tools and guidance
|
 | Security Bulletins Security bulletins include the following: - Details of all affected products
- A list of frequently asked questions
- Information about workarounds and mitigations
- Any other information that IT staff needs to address the vulnerability.
|
 | Security Advisories Microsoft also communicates security information to customers through Microsoft Security Advisories. Microsoft uses these advisories to communicate about issues that might not be classified as vulnerabilities and might not require security bulletins, but that might still have an effect on customers' overall security. |
 | Tools for Enterprise Customers Microsoft also offers Enterprise customers a variety of tools and resources to assist in the detection and deployment of security updates, including Security Update Management, Security Update Detection, and Security Assessment. For more information, see Security Tools. |
 | Release Day: Second TuesdayMSRC releases new security updates and their accompanying bulletins on the second Tuesday of every month at approximately 10 A.M. Pacific Time. MSRC makes updates available for download through the following sites: - Windows Update
- Microsoft Update
- Automatic Updates
- Microsoft Download Center
- Office Update, when needed
- Microsoft Update Catalog.
Customers who have signed up for the Microsoft Technical Security Notifications, Security Newsletters, and Windows Live Alerts receive email announcing the updates within a few hours of their release. MSRC also immediately notifies customers via Really Simple Syndication (RSS) feeds when it releases security bulletins. MSRC also provides a monthly security bulletin webcast, which is broadcast at 11 A.M. Pacific Time on the morning after the monthly release. The webcast provides customers with prescriptive security guidance and the opportunity to ask Microsoft subject matter experts about the security bulletins and about how to deploy the new updates. |