What does this mean? Well, it means that I work with the Internet Explorer Product Team on what a given security update should contain and then we plan out the work needed. They do much of the work; I don’t actually write the code itself. Simply put, you could say that I triage and prioritize vulnerability reports and I coordinate with them to make the appropriate changes. Now, what also goes into this process is prioritizing the reports based on what the Internet Explorer Team’s findings are for a given report. We then take a broader view as the product team drives a threat modeling exercise and we analyze if the changes are encompassing enough. Does it reproduce across various Internet Explorer versions? Does the vulnerability work in a default configuration? What is the impact? How can we put out an update as fast as possible but still make sure the update is high quality?
Allow me to linger on the last one for a bit: Quality, what do you mean by that? Well, when making changes to any product outside of a Service Pack or a new version of a product you always run the risk of making changes that may impact some functionality, explicitly or implicitly that someone else might rely on. Of course you also run this risk at the service pack level too but those types of shipping vehicles require extensive planning to allow ample room for in-depth testing and feedback before shipping . A singular update like the security updates accompanying security bulletins are also carefully planned and tested. If it is a straight-forward overrun, like the one we fixed in Microsoft Security Bulletin MS04-040, then it might not be so hard although we still need to perform rigorous testing on all supported versions of Windows, Internet Explorer, and in all supported languages. This is a thing that people often forget, our goal is to release security updates for all supported versions of a product, e.g., IE, on all supported Windows versions, and in all supported languages. As recently as a few months ago the number of packages was enormous, over 400! That was because there were many IE versions still in support such as Windows XP gold and Windows NT. Now, the number of individual packages is lower, but still quite staggering and approaches 200 currently. Longer and broader test passes is one thing that we have worked to put into place recently, and it has paid off in higher quality. Our move to releasing security updates on a monthly basis not only helps our customers, it also helps with the internal processes and this testing effort to drive for quality.
But back to one of my favorite teams, the IE team. As you can imagine, I work very close with the Internet Explorer team, which is a team that really rocks; You can find their web blog here and I encourage you to visit it, read it and provide constructive feedback. I have seen and played a bit with Internet Explorer 7 and let me tell you that I am excited about it! I will let others, elsewhere, speak to the feature set but since I am in the MSRC, what I am excited about is the changes we are making that will have a direct impact on my work. When it comes out I can only urge you to install it and take it for a spin.
That’s enough about me! Please stop by the MSRC booth at TechEd Europe 2005 in Amsterdam to say hi to Simon and I and take the opportunity to ask us questions or give us feedback in person.
Cheers
/Lennart
*This posting is provided “AS IS” with no warranties, and confers no rights.*