Vulnerabilities, Exploits, and Patches

Software security issues are generally characterized as vulnerabilities, exploits, and patches. Vulnerabilities are bugs or other holes in software, such as worms or viruses, that expose the software, or systems built on the software, to malicious attacks. Exploits, such as SQL Slammer, are attacks that target known vulnerabilities. Patches are small pieces of code that fix vulnerabilities.

Vulnerabilities in Microsoft products are ordinarily flagged by external sources; for example, a customer using SQL Server or an independent security watchdog group such as the colorfully named “The Last Stage of Delirium,” which discovered the vulnerability responsible for the SQL Slammer exploit. When a user or a group uncovers a vulnerability, they alert the Microsoft Security Resource Center (MSRC), which determines the potential risk associated with the vulnerability and alerts the appropriate Microsoft development organization. Once aware of the vulnerability, the development organization addresses the vulnerability in the underlying code. If a vulnerability is deemed sufficiently threatening, Microsoft will release the patch immediately through the MSRC. For vulnerabilities not deemed highly threatening, the fix will typically be rolled into the product’s next service pack, a collection of product bug fixes and previously released patches that the company releases periodically.