Microsoft Security Response Center (MSRC) is a key component of the security infrastructure for Microsoft, the large, internationally known software manufacturer. The program manager of the center has been informed by a hacker of a potentially damaging security vulnerability in a piece of Microsoft's Internet server software. Neither the hacker nor MSRC knows for sure if systems using the software have been compromised, but they do know that the vulnerability has been discussed in hacker news groups. The program manager must determine who should be told, what needs to be done and when. This case and the accompanying Microsoft Security Response Center (B) and (C) cases (products 9B01E020 and 9B01E021) look at the strategy to solve the problems and deal with any possible public relations issues that arise from it.
Microsoft Security Response Center (MSRC) is a key component of the security infrastructure for Microsoft--the large, internationally known software manufacturer. A hacker has informed the program manager of the center of potentially damaging security vulnerability in a piece of Microsoft's Internet server software. Neither the hacker nor MSRC knows for sure whether systems using the software have been compromised, but they do know that the vulnerability has been discussed in hacker news groups. The program manager must determine who should be told, what needs to be done, and when. This case looks at the strategy to solve the problems and deal with any possible public relations issues that arise from it.
Shortly after the Microsoft Security Response Center found out about a security vulnerability in a part of their Internet server software, the Internet Information Server development team was brought in to find a solution. The team determined that a patch developed months before would fix the problem. They needed to notify the world's Internet users immediately to prevent them from being attacked by hackers. The team had to figure out how to keep the security vulnerability quiet, and then suddenly tell the whole world about it. This supplement to Microsoft Security Response Center (A) 9B01E019 extends the situation as new information surfaces about the vulnerability.
The program manager and his team at the Microsoft Security Response Center decide to keep the security vulnerability and its solution quiet over the weekend. They contact the Microsoft Premier Support Organization, which provides high level service to large companies, to get the solution to as many of their customers as possible, since large companies would be hackers' first targets. The bulletin was ready for release and as far as the program manager could tell, the problem had remained quiet. He had to decide whether to release the patch the following morning or wait until they could prepare the patch in many languages. This is a supplement to Microsoft Security Response Center (A) and (B), products 9B01E019 and 9B01E020.