Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Customers roast Microsoft over security bulletins' demise

Gregg Keizer | April 25, 2017
Company asks for feedback; one user replies, 'Thanks for nothing'.


When Microsoft asked customers last week for feedback on the portal that just replaced the decades-long practice of delivering detailed security bulletins, it got an earful from unhappy users.

"Hate hate hate the new security bulletin format. HATE," emphasized Janelle 322 in a support forum where Microsoft urged customers to post thoughts on the change. "I now have to manually transcribe this information to my spreadsheet to disseminate to my customers. You have just added 8 hours to my workload. Thanks for nothing."

Janelle 322 and others left scathing comments on the support forum Microsoft touted Friday as the place to post comments and questions about the Security Update Guide (SUG), the online portal which took the place of familiar bulletins.

Microsoft announced the demise of bulletins in November 2016, saying then that the new process would debut Feb. 14. Those web-published bulletins had been a cornerstone of Microsoft's patch disclosure policies since at least 1998. The bulletins' thoroughness and transparency were long praised by security professionals, who considered them the benchmark against which all other vendors' efforts were compared.

After a two-month delay, Microsoft dropped bulletins with the April 11 collection of security fixes. A day later, one patch expert said the switch from bulletins to SUG had expanded his workload by about six times.

Customers echoed the added-work theme in comments on the support thread.

"I typically spend 2-3 hours to read through and determine what updates need to go to our systems, document, etc. I spent a solid 8 hours trying to make sense of everything today and get it organized, and I'm not close to being finished," reported Jim24Mac. "What I had to go through today was an abomination. I download[ed] the spreadsheet with 670 lines of exploit info that I'm supposed to somehow find useful to determine what I need and why. It's terrible."

Other critics got more specific.

"While calling out the security issue via CVEs [Common Vulnerabilities & Exposures] is valid, for the system admin/patcher the new format doesn't relate well at all to what we see to approve and patch," wrote Susan Bradley, a noted Windows patch expert who writes for the Windows Secrets newsletter. "While it's appreciated to have a searchable database in the Security Update Guide, it is too cumbersome to use to quickly get the information needed on Update Tuesday. To get the same information took way too many steps and required collaboration with other sources to confirm information.

"Bottom line we have a communication problem," Bradley continued. "You are talking CVEs [but] we're still needing something that showcases what we see needing to be installed on our PCs. If there is any way to better filter down the information and make it better trackable to what we see installed, that would be grand."


1  2  Next Page 

Sign up for CIO Asia eNewsletters.