Patch up, boys! Microsoft to stop publishing Security Bulletins

02/13/2017
G DATA Blog

Many system administrators rely on Microsoft’s Security Bulletins to obtain information about critical security issues. However, from February’s Patch Tuesday onwards, Microsoft will no longer be publishing them. Instead, the company has chosen to replace the bulletins with an online database, causing uncertainty among system administrators.

For home users, obtaining and installing patches for Microsoft products has never been easier: since the introduction of Windows 10, the process has been largely automated. Many other vendors, such as Google, also automatically deliver updates to their customers. However, not all Windows users appreciate such deployment methods. What sounds like a comfortable way to stay up-do-date, can become a nightmare for enterprise system administrators. Automated decisions about applying updates can lead to version inconsistency across the network - especially when making decisions on a per-endpoint basis.  Inconsistencies make it difficult to act on bug reports in a timely fashion. For example, if a patch is released to fix a critical vulnerability, administrators must make sure they know which software is affected and which clients need to be updated.

Discontinuing an industry standard

Getting information about the issues that are fixed by a patch, as well as its possible side effects, is essential to the process. Without it, it is impossible to estimate the time required to test the patch and install it across the network, or indeed to even decide whether to deploy a patch or not. That is why publications such as Microsoft’s Security Bulletins are important. They offer a lot of information and have become a de-facto industry standard ever since the first Bulletin was released in June 1998. Over the years, administrators have become accustomed to the format - which is why many were surprised when Microsoft announced in November 2016 that they intend to phase it out.

Security Updates Guide - a viable replacement?

Starting on February's Patch Tuesday (February 14), Microsoft will only publish information about their security patches to a new online database called Security Updates Guide. The Microsoft website features a preview version, which contains release notes as well as information on individual security issues. The Guide can be searched and filtered more easily than the Bulletins, but it will be the actual content that counts. Microsoft plans to fill the Guide with the same types of information that used to be part of the Bulletins. However, for the January edition of Patch Tuesday (for which the Guide was updated in parallel to regular Security Bulletins being released), not all Bulletin content was made available in the Guide.  So far, release notes have been sparse: at the time when this article was published, only two release notes were available which only contained very little information. 

Reliable and consistent patch information is a crucial prerequisite of all stages of the patch management cycle. As early as the Information gathering and Strategy & Planning phases, knowing as much as possible about the patches and their effects is vital. Therefore, system administrators should make sure they have a reliable source of information to holistically support patch management. Whether the new Security Updates Guide will live up to the expectations remains to be seen. In any case, the process can be made easier by using a patch management solution, which provides integrated patch information across multiple vendors and products and supports all stages of the patch management cycle.

Update

Microsoft has announced that they will delay the deployment of the February updates due to problems which were discovered at the last moment. A new date has not been communicated yet.

Adobe, however, has used the February patch day as planned to fix some security flaws.