By: Gregg Keizer
Microsoft next month will stop issuing detailed security bulletins, which for nearly 20 years have provided individual users and IT professionals information about vulnerabilities and their patches.
One patching expert crossed his fingers that Microsoft would make good on its pledge to publish the same information when it switches to a new online database. “I’m on the fence right now,” said Chris Goettl, product manager with patch management vendor Shavlik, of the demise of bulletins. “We’ll have to see [the database] in February before we know how well Microsoft has done [keeping its promise].”
Microsoft announced the demise of bulletins in November, saying then that the last would be posted with January’s Patch Tuesday — the monthly round of security updates for Windows and other Microsoft software — and that the new process would kick in on Feb. 14, next month’s patch day.
The web-based bulletins have been a feature of Microsoft’s patch disclosure policies since at least 1998, and for almost as long have been considered the professional benchmark by security experts.
A searchable database of support documents will replace the bulletins; that database has been available, albeit in preview, since November on the portal Microsoft dubbed the “Security Updates Guide,” or SUG.
The documents stored in the database are specific to a vulnerability on an edition of Windows, or a version of another Microsoft product. They can be sorted and filtered by the affected software, the patch’s release date, its CVE (Common Vulnerabilities and Exposures) identifier, and the numerical label of the KB, or “knowledge base” support document.
“Our customers have asked for better access to update information, as well as easier ways to customize their view to serve a diverse set of needs,” wrote an unnamed member of the Microsoft Security Response Center in November to explain the switch from bulletins to database.
Goettl saw it differently, saying that the change became a necessity once Microsoft upended Windows patching practices with the mid-2015 launch of Windows 10.
“Microsoft created a reporting and compliance issue for its customers with the discrepancy between Windows 10 and everything else,” Goettl said. “With Windows 10, enterprises were auditing a single install instead of six to 10 of them. Then they brought legacy Windows into this as well.”
Goettl was talking about the radical patching practice Microsoft introduced with Windows 10, where all security updates for a month are collected into a single download-and-install package. Unlike with 10’s predecessors, individual patches cannot be withheld — a common tactic IT administrators have used when reports surface that a specific patch breaks other software, cripples systems or disrupts workflows.
Critics immediately laid into Microsoft over Windows 10 updates, lambasting both the consolidated and cumulative nature of the patches but also the move to vague and generic descriptions of the underlying vulnerabilities and what the fixes addressed. They expanded their critiques to Windows 7 and Windows 8.1 when in October Microsoft adopted the same update methodology for those older OSes.
“Bulletins cannot be used to report compliance in the enterprise,” said Goettl, because they are inconsistent with all-or-nothing updates. The disparity — bulletins described individual updates, while the updates themselves contained multiple patches that could not be separated — made the bulletins useless.
But the informational content of the bulletins will remain valuable, Goettl argued, even if updates are packaged differently than before. Microsoft agreed: In a FAQ about the database, the company said, “By February, information provided in the new Security Updates Guide will be on par with the set of details available in traditional security bulletin webpages.”
The Security Updates Guide’s preview has not met that mark; some information found in the January Patch Tuesday bulletins, for example, was missing from the appropriate entries in the online database.
“There will be a lot of people who will be very put out if [Microsoft] neglects [things like] what’s being exploited,” said Goettl of the support document replacements. “The key indicators are still very important.”
Goettl was willing to give Microsoft the benefit of the doubt for now, but was adamant that the Redmond, Wash. company had to make good on its vow to retain the bulletins’ content. “By February, Microsoft is going to have to prove to us that this is a good thing for us,” he said