Microsoft Replaces Its Security Bulletin With an Online Database
For almost two decades, system administrators rely on Microsoft’s monthly Security Bulletin to get information about vulnerabilities and their patches. But the company is changing its approach this month, replacing bulletins with an online database.
The new Security Update Guides will debut with February’s Patch Tuesday. The new format is getting lukewarm reviews so far.
Microsoft releases security updates each month on Patch Tuesday to correct vulnerabilities in its software. These updates are grouped into security bulletins for the different types of issues that they fix. Microsoft also issues security advisories for information that doesn’t fit the scope of a bulletin.
The security bulletins explain how each update fixes the issues and the impact of the issue on customer systems. Each bulletin has one or more Knowledge Base articles that help explain more details about the updates.
The bulletins also include a severity rating. This is a good way to quickly assess the risk of the update. The ratings indicate whether the update is Critical, Important or Moderate. The severity rating is based on how easy it is to exploit the vulnerability. Microsoft also factors in the attack surface, which indicates whether an attacker needs a local account or has access to the network. This includes whether the attacks are physical or remote.
The security bulletin provides more details about the fixes that Microsoft is releasing this month. Specifically, it describes what vulnerabilities are being corrected and gives you an idea of the impact. In addition, the security bulletin explains how Microsoft determines what bugs get the Critical rank and what gets the Important rank. Then there’s the Moderate and Low risk.
The bulletin also explains base score metrics, which describe how easy the vulnerability is to exploit. For example, a vulnerability is more likely to be exploited if it can be done locally, from adjacent networks or from physical access.
For some time, Microsoft has also used the security bulletin to discuss information that doesn’t qualify as a vulnerability but is still important for customers to know about. That is why you’ll still see the occasional Microsoft Technical Security Notification. These will provide you with in-depth information about issues that you can’t find elsewhere. They’ll appear in addition to the monthly bulletins, and you can subscribe by email to get these notifications.
Microsoft patched 64 vulnerabilities in its products this month. The company shipped fixes for five bugs rated Critical, 57 bugs rated Important and one bug rated Moderate. It also fixed a zero-day flaw that hackers were already exploiting in real-world attacks.
The Microsoft Security Bulletin Severity Rating System is a simple four-level system that helps you decide whether an update is essential and needs to be applied as soon as possible. It applies to every update issued by Microsoft and lets you know how critical the vulnerability is for your environment.
The Security Update Guide provides detailed information about each update and includes links to the individual Knowledge Base articles. These are useful for IT professionals and administrators who want to see more technical details about each update. However, this month marked the last time that Microsoft will publish the detailed security bulletins that it has used for nearly two decades to detail the patching process and explain the vulnerabilities corrected each month.
Microsoft recommends that users apply the critical updates in a timely manner, either by using Update Management or manually checking for the update with Windows Update. For users of older releases of software, the company encourages them to migrate to supported versions that are still receiving security support.
The company also provides a set of tools to help administrators automate the deployment and testing of Microsoft patches. These include Windows Server Update Services, Systems Management Server and System Center Configuration Manager. Lastly, the Update Compatibility Evaluator components included with the Application Compatibility Toolkit can streamline testing for Microsoft applications. Microsoft has received lukewarm response to its shift away from Security Bulletins and toward Security Update Guides, which group together information on specific vulnerabilities, products and KB numbers in a structured format that is easier for sysadmins to parse and use in scripts and programs to manage patching. These guides are available on a portal the company calls the Security Update Guides library.