As we approach February 14th, the lyrics of a great Everly Brother’s song, “Bye Bye Love,” are playing in my mind. It’s not the reason you think. My wife and I are completely happy, and it’s not because RSA has been scheduled over Valentine’s Day. It’s because February 14th will be the first time that we truly notice the death of Microsoft Security Bulletins. Somehow, thinking about that makes the lyrics “Bye bye happiness, hello loneliness, I think I’m-a gonna cry” seem very fitting.
Bulletins like MS17-004, the last official Microsoft Security Bulletin, are gone. The Security Updates Guide (still in preview as this was written) is the replacement for bulletins. This page has a modern look and feel, although I worry about a giant list of security updates given that during the preview it’s already grown to contain over 3600 entries. It’s important to note that you need to turn on Show Details in order to see CVEs for each item. Even then, Adobe items have different details that are not CVEs. I suspect this is because the patch resolves more than a single vulnerability.
Let’s start with the highlights of this new system because there are definitely a few. First, Microsoft has created an API for pulling this information and provided code snippets in a variety of languages. This looks like an excellent start to machine parsing Microsoft security information. They actually took it a step further as well by including the CVRF data for each vulnerability. This data is used by other vendors and provides a machine-readable method of sharing the details of a vulnerability – description, affected versions, etc.
There are also a few issues. The first is that the API was clearly designed for internal use. It returns vulnerability data formatted for display on Microsoft’s website rather than plain text. This means that consumers of the API will have to spend additional time scrubbing various tags and styles, which clearly indicates this was not originally intended for public consumption.
A second issue is that data is less consolidated and bulletin summaries are gone. This data was perhaps the most useful part of a security bulletin. Quickly summarizing the biggest issues and the changes made by the patch. Instead, I need to visit KB articles for each patch or a page for each CVE. I no longer get a concise roll-up of all related information. Just comparing a bulletin and guidance page required four or five additional clicks to find the information. This is perhaps another indicator that Microsoft is putting emphasis on making the data available in machine readable format rather than for direct human consumption. This could be a big problem for smaller IT departments that lack the resources to develop tools for getting appropriate situational awareness.
Finally, an important piece of information that I frequently see referenced by Tripwire customers has gone missing. The updates replaced column, also known as the supersessions, have been removed from the content. Given the importance of this information, it’s a shame to see it disappear. This information is used to validate if a system is truly up-to-date or if a patch is missing. Vulnerability management and patch management vendors, along with Microsoft’s own products, aren’t always perfect. Upon human review, it’s sometimes found that even the tools closest to the patching process have made mistakes or assumptions. You may say, “But everything is now a monthly roll-up, so does it really matter?” The answer is, “Yes… it does.” The monthly roll-up apply to Windows 7 and newer and Vista is nearly out of support, but what about non-OS patches (which sometimes account for half of the bulletins released in a month)?
Ultimately, we won’t know the real success or failure of this change until February 14th because so far Microsoft has just been duplicating the bulletin information into the guidance pages. It’s clear that there are a few pieces of information missing, and we’ll have to wait a few weeks to see if the end of bulletins truly means an increase or decrease in available information.