microsoft A New Way of Displaying Monthly Security Patches

[vissha]

A New Way of Displaying Monthly Security Patches

 

AskWoody - Woody Leonhard:

I’m not sure exactly how this will roll out, but we’ve been warned.

 

The Microsoft Security Response Center has just announced that, effective in January, there won’t be any more security bulletins. In their stead, we get a spreadsheet.

 

Check out this month’s version. 55 KB articles for November 8. No mention of Security Bulletins.

 

Security update information will be published as bulletins and on the Security Updates Guide until January 2017. After the January 2017 Update Tuesday release, we will only publish update information to the Security Updates Guide.

 

Source

Microsoft to retire Security Bulletins in January 2017 - gHacks - Alternate Source

[Petrovic]

Quote

Microsoft has a long tradition of publishing Security Bulletins to share information about patches and security fixes that it releases. But starting next year this is going to change.

 

As of February 2017, Microsoft will make use of the newly launched Security Updates Guide database. This, on the face of it, sounds like a great idea -- a searchable database of information -- but it changes the way information is presented and is unlikely to be well-received by users.

The announcement was hardly shouted from the hilltops -- it was a little afterthought tacked on the end of a short blog post: "Security update information will be published as bulletins and on the Security Updates Guide until January 2017. After the January 2017 Update Tuesday release, we will only publish update information to the Security Updates Guide".

The main point of the blog point is to point out the existence of the new database, of which Microsoft says:

This month we released a preview of our new single destination for security vulnerability information, the Security Updates Guide. Instead of publishing bulletins to describe related vulnerabilities, the new portal lets our customers view and search security vulnerability information in a single online database.

 

Article source

[Batu69]

Topic has been merged.

[Karlston]

Microsoft has eliminated individual patches from every Windows version, and Security Bulletins will go away soon, replaced by a spreadsheet with tools

 

Credit: flickr/moppet65535

With the old method of patching now completely gone—October’s patchocalypse eliminated individual patches from every Windows version—Microsoft has announced that the documentation to accompany those patches is in for a significant change. Most notable, Security Bulletins will disappear, replaced by a lengthy list of patches and tools for slicing and dicing those lists.

 

Security Bulletins go back to June 1998, when Microsoft first released MS98-001. That and all subsequent bulletins referred to specific patches described in Knowledge Base articles. The KB articles, in turn, have detailed descriptions of the patches and lists of files changed by each patch. The Security Bulletins serve as an overview of all the KB patches associated with a specific security problem. Some Security Bulletins list dozens of KB patches, each for a specific version of Windows.

 

The Security Bulletin system is archaic and has led to all sorts of silly conclusions. As the volume of monthly patches has grown into the hundreds, it’s also become unwieldy. I groan when I read a headline that says, “This month is a particularly heavy patching month because there are xx more Security Bulletins than usual,” or “We have x Security Bulletins, of which y are rated Critical and z Important.” The numbers and ratings don’t matter. Microsoft’s dumping the artifice created by the Security Bulletins, and to that I say good riddance. The KB system remains, uniquely identifying individual patches, but they’re going to be knitted together differently.

 

Starting in January, we’ll have two lists—or, more accurately, two ways of viewing a master table.

 

• The Security Updates Guide lists Security-only updates—each KB articles—and identifies it by product. For Internet Explorer and Edge, the Guide lists both the product and the platform (for example, Edge for Win10 version 1607). You can view the monthly release notes (a very abbreviated version of the old Security Bulletin), and you can search for specific security holes by CVE number.
• The Software Update Summary lists security patches by KB number. 

 

Keep in mind that we’re only talking about security patches and the security part of the Windows 10 cumulative updates. Nonsecurity patches and Win7/8.1 monthly rollups are outside of this discussion.

 

To see where this is going and to understand why it’s vastly superior to the Security Bulletin approach, look at the lists for November 8, this month’s Patch Tuesday. The main Windows Update list shows page after page of security bulletins, identified by MS16-xxx numbers, and those numbers have become ambiguous. See, for example, MS16-142 on that list, which covers both the Security-only update for Win7, KB 3197867, and the Monthly rollup for Win7, KB 3197868. The MS16-142 Security Bulletin itself runs on for many pages.

 

Now flip over to the Security Updates Guide. In the filter box type windows 7 and press Enter. You see four security patches (screenshot below): IE11 and Windows, both 32- and 64-bit. They’re all associated with KB 3197867.

In the Software Update Summary, searching for “windows 7” yields only one entry, for the applicable KB number (screenshot below).

 

Here’s why the tools are important. On this month’s Patch Tuesday, we received 14 Security Bulletins. Those Security Bulletins actually contain 55 different patches for different KB numbers; the Security Bulletin artifice groups those patches together in various ways. The 55 different security patches actually contain 175 separate fixes, when you break them out by the intended platform.

 

There’s a whole lotta patchin’ goin’ on.

 

Starting this month, you can look at the patches either individually (in the Security Updates Guide) or by platform (in the Software Update Summary), or you can plow through those Security Bulletins and try to find the patches that concern you. Starting in January, per the Microsoft Security Response Center, the Security Bulletins are going away.

 

Of course, the devil’s in the implementation details, but all in all this seems to me like a reasonable response to what has become an untenable situation.

 

Source: Microsoft to revamp its documentation for security patches (InfoWorld - Woody Leonhard)

 

Microsoft’s changing the way it documents security patches (AskWoody.com)

 

[Batu69]

Topic moved from software news forum & merged.