How to overcome the challenges of Microsoft’s Security Bulletin retirement
Security

How to overcome the challenges of Microsoft’s Security Bulletin retirement

This is a contribute article by Ken Hilker, Senior Product Manager, at Flexera Software

 

Microsoft no longer publishes security bulletins, which for decades have provided IT administrators with a monthly list of vulnerabilities and accompanying patches.  Last November Microsoft warned that the Security Bulletins on Patch Tuesday would be discontinued, and they followed through on their promise with the April 2017 edition.

Information about software vulnerabilities are now only found on the Security Update Guides portal (SUG).  This change is troublesome for patch management professionals who already have enough on their plate.  Moreover, the additional time to research and understand the security patches required for their unique environments will only lengthen the time to patch.  While the portal is searchable by Common Vulnerabilities and Exposures (CVE), Knowledge Base (KB) article, product or release date, the change in process will impact the daily routines of IT administrators and security professionals around the world.

Microsoft says that SUG has functionality that users have been asking for, and that the portal allows users to customise it for their unique needs.  While the portal has advanced capabilities, the change has generated concern about the impact on patch management activities.

Part of the Microsoft outcry relates to changes that companies will have to make to their IT processes.  Security Bulletins have been around for years, and administrators have built their processes around the predictable and consistent delivery of these bulletins.  Microsoft’s format changes are inconvenient for patch management professionals and may require more time spent researching and identifying the security patches required for their unique environments.

Consequently, companies relying on Microsoft Security Bulletins must now change their processes, and need to find alternative solutions to streamline and improve efficiency.

 

Old versus new

An example of this format change is a vulnerability in Adobe Flash Player (which Microsoft distributes to their users).  The older format looked like this:

It is one security bulletin that could be read and quickly determine what Windows platforms and products are affected.

Now, using the SUG, the same vulnerability information is broken out into separate listings in the Website per platform.  This same Adobe Flash Player vulnerability now looks like this:

 

Pulling vulnerability information

Thankfully, despite the lack of Security Bulletins, vulnerability information from over a thousand sources – including vendors like Microsoft and Adobe – can still be pulled today.  All this information can be consolidated into an easy-to-understand advisory that shows all the products that are affected and the CVE references that are related, along with the vendor solution for this group of vulnerabilities.

 

Vulnerability ratings

The criticality of a vulnerability is based on the assessment of the vulnerability’s potential impact on a system, the attack vector, mitigating factors and if an exploit exists for the vulnerability and is being actively exploited prior to the release of a patch.  The vulnerability ratings follow:

  • Extremely Critical (5 of 5): Typically used for remotely exploitable vulnerabilities that can lead to system compromise.  Successful exploitation does not usually require any interaction and exploits are in the wild.  These vulnerabilities can exist in services like FTP, HTTP and SMTP or in certain client systems like email applications or browsers.
  • Highly Critical (4 of 5): Normally used for remotely exploitable vulnerabilities that can lead to system compromise.  Successful exploitation does not typically require any interaction, but there are no known exploits available at the time of disclosure.  Such vulnerabilities can exist in services like FTP, HTTP and SMTP or in client systems like email applications or browsers.
  • Moderately Critical (3 of 5): This rating is also used for vulnerabilities allowing system compromise on LANs in services like SMB, RPC, NFS, LPD and similar services that are not intended for use over the Internet.  Usually used for remotely exploitable Denial of Service (DoS) vulnerabilities against services like FTP, HTTP and SMTP, and for vulnerabilities that permit system compromises but require user interaction.
  • Less Critical (2 of 5): Usually used for cross-site scripting and privilege escalation vulnerabilities.  This rating is also used for vulnerabilities allowing exposure of sensitive data to local users.
  • Not Critical (1 of 5): Typically used for very limited privilege escalation vulnerabilities and locally exploitable DoS vulnerabilities.  This rating is also used for non-sensitive system information disclosure vulnerabilities (e.g. remote disclosure of installation path of applications).

 

Additional considerations

Beyond criticality, IT administrators also need to consider:

  • Impact – what this vulnerability can affect (System Access, DoS, Release of Sensitive Information, etc.)
  • Where – from where this vulnerability can be exploited: Local System, Local Network or Remote (outside of network)
  • Solution status – is there a patch or other method that migrates the vulnerability?
  • CVE references – uses industry standard CVE to aid in communication across groups
  • Products affected – can show if the advisory is for one product or multiple ones (in this case, the vulnerabilities affect multiple operating system versions)
  • Advisory details – Summary of the issue
  • Solution details – how this vulnerability can be mitigated

 

We’ll all be OK!

Many businesses are concerned about Microsoft changing the way they release vulnerability information around their products to the world.  Yes, Microsoft used to publish the Security Bulletins, which helped IT pros understand patches that closed multiple vulnerabilities, patches closing vulnerabilities affecting multiple products, and so on.  Thankfully, however, there are solutions available today that achieve a similar view – more than making up for the lack of Security Bulletins.

PREVIOUS ARTICLE

«Four important African social disaster management technologies

NEXT ARTICLE

News Roundup: Apple Neural Engine, Stratolaunch, and subtitle viruses»
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

Add Your Comment

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Will Kotlin overtake Java as the most popular Android programming language in 2018?