How to overcome the challenges of Microsoft's Security Bulletin retirement

This is a contribute article by Ken Hilker, Senior Product Manager, at Flexera Software


Microsoft no longer publishes security bulletins, which for decades have provided IT administrators with a monthly list of vulnerabilities and accompanying patches.  Last November Microsoft warned that the Security Bulletins on Patch Tuesday would be discontinued, and they followed through on their promise with the April 2017 edition.

Information about software vulnerabilities are now only found on the Security Update Guides portal (SUG).  This change is troublesome for patch management professionals who already have enough on their plate.  Moreover, the additional time to research and understand the security patches required for their unique environments will only lengthen the time to patch.  While the portal is searchable by Common Vulnerabilities and Exposures (CVE), Knowledge Base (KB) article, product or release date, the change in process will impact the daily routines of IT administrators and security professionals around the world.

Microsoft says that SUG has functionality that users have been asking for, and that the portal allows users to customise it for their unique needs.  While the portal has advanced capabilities, the change has generated concern about the impact on patch management activities.

Part of the Microsoft outcry relates to changes that companies will have to make to their IT processes.  Security Bulletins have been around for years, and administrators have built their processes around the predictable and consistent delivery of these bulletins.  Microsoft’s format changes are inconvenient for patch management professionals and may require more time spent researching and identifying the security patches required for their unique environments.

Consequently, companies relying on Microsoft Security Bulletins must now change their processes, and need to find alternative solutions to streamline and improve efficiency.


Old versus new

An example of this format change is a vulnerability in Adobe Flash Player (which Microsoft distributes to their users).  The older format looked like this:

It is one security bulletin that could be read and quickly determine what Windows platforms and products are affected.

Now, using the SUG, the same vulnerability information is broken out into separate listings in the Website per platform.  This same Adobe Flash Player vulnerability now looks like this:


Pulling vulnerability information

Thankfully, despite the lack of Security Bulletins, vulnerability information from over a thousand sources – including vendors like Microsoft and Adobe – can still be pulled today.  All this information can be consolidated into an easy-to-understand advisory that shows all the products that are affected and the CVE references that are related, along with the vendor solution for this group of vulnerabilities.


Vulnerability ratings

The criticality of a vulnerability is based on the assessment of the vulnerability’s potential impact on a system, the attack vector, mitigating factors and if an exploit exists for the vulnerability and is being actively exploited prior to the release of a patch.  The vulnerability ratings follow:

  • Extremely Critical (5 of 5): Typically used for remotely exploitable vulnerabilities that can lead to system compromise.  Successful exploitation does not usually require any interaction and exploits are in the wild.  These vulnerabilities can exist in services like FTP, HTTP and SMTP or in certain client systems like email applications or browsers.
  • Highly Critical (4 of 5): Normally used for remotely exploitable vulnerabilities that can lead to system compromise.  Successful exploitation does not typically require any interaction, but there are no known exploits available at the time of disclosure.  Such vulnerabilities can exist in services like FTP, HTTP and SMTP or in client systems like email applications or browsers.
  • Moderately Critical (3 of 5): This rating is also used for vulnerabilities allowing system compromise on LANs in services like SMB, RPC, NFS, LPD and similar services that are not intended for use over the Internet.  Usually used for remotely exploitable Denial of Service (DoS) vulnerabilities against services like FTP, HTTP and SMTP, and for vulnerabilities that permit system compromises but require user interaction.
  • Less Critical (2 of 5): Usually used for cross-site scripting and privilege escalation vulnerabilities.  This rating is also used for vulnerabilities allowing exposure of sensitive data to local users.
  • Not Critical (1 of 5): Typically used for very limited privilege escalation vulnerabilities and locally exploitable DoS vulnerabilities.  This rating is also used for non-sensitive system information disclosure vulnerabilities (e.g. remote disclosure of installation path of applications).


Additional considerations

Beyond criticality, IT administrators also need to consider:

  • Impact – what this vulnerability can affect (System Access, DoS, Release of Sensitive Information, etc.)
  • Where – from where this vulnerability can be exploited: Local System, Local Network or Remote (outside of network)
  • Solution status – is there a patch or other method that migrates the vulnerability?
  • CVE references – uses industry standard CVE to aid in communication across groups
  • Products affected – can show if the advisory is for one product or multiple ones (in this case, the vulnerabilities affect multiple operating system versions)
  • Advisory details – Summary of the issue
  • Solution details – how this vulnerability can be mitigated


We’ll all be OK!

Many businesses are concerned about Microsoft changing the way they release vulnerability information around their products to the world.  Yes, Microsoft used to publish the Security Bulletins, which helped IT pros understand patches that closed multiple vulnerabilities, patches closing vulnerabilities affecting multiple products, and so on.  Thankfully, however, there are solutions available today that achieve a similar view – more than making up for the lack of Security Bulletins.


« Quotes of the week: "We won't make ourselves safer by making ourselves less free"


Seven things to know about datacentre deployment in Africa »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?