Microsoft next month will stop issuing detailed security bulletins, which for nearly 20 years have provided individual users and IT professionals information about vulnerabilities and their patches.
One patching expert crossed his fingers that Microsoft would make good on its pledge to publish the same information when it switches to a new online database. "I'm on the fence right now," said Chris Goettl, product manager with patch management vendor Shavlik, of the demise of bulletins. "We'll have to see [the database] in February before we know how well Microsoft has done [keeping its promise]."
Microsoft announced the demise of bulletins in November, saying then that the last would be posted with January's Patch Tuesday -- the monthly round of security updates for Windows and other Microsoft software -- and that the new process would kick in on Feb. 14, next month's patch day.
The web-based bulletins have been a feature of Microsoft's patch disclosure policies since at least 1998, and for almost as long have been considered the professional benchmark by security experts.
A searchable database of support documents will replace the bulletins; that database has been available, albeit in preview, since November on the portal Microsoft dubbed the "Security Updates Guide," or SUG.
The documents stored in the database are specific to a vulnerability on an edition of Windows, or a version of another Microsoft product. They can be sorted and filtered by the affected software, the patch's release date, its CVE (Common Vulnerabilities and Exposures) identifier, and the numerical label of the KB, or "knowledge base" support document.
"Our customers have asked for better access to update information, as well as easier ways to customize their view to serve a diverse set of needs," wrote an unnamed member of the Microsoft Security Response Center in November to explain the switch from bulletins to database.
Goettl saw it differently, saying that the change became a necessity once Microsoft upended Windows patching practices with the mid-2015 launch of Windows 10.
"Microsoft created a reporting and compliance issue for its customers with the discrepancy between Windows 10 and everything else," Goettl said. "With Windows 10, enterprises were auditing a single install instead of six to 10 of them. Then they brought legacy Windows into this as well."
Goettl was talking about the radical patching practice Microsoft introduced with Windows 10, where all security updates for a month are collected into a single download-and-install package. Unlike with 10's predecessors, individual patches cannot be withheld -- a common tactic IT administrators have used when reports surface that a specific patch breaks other software, cripples systems or disrupts workflows.
Sign up for CIO Asia eNewsletters.