Security bulletins of Microsoft's Patch Tuesday replaced by a database.
Date : November 07, 2016
Last month Microsoft announced the replacement of its Security bulletins “Patch Tuesday” by a database accessible online. Even if the old system has already proved its worth and that others software vendors have adopted the same monthly update schedule as Adobe, the use of static pages is old-fashioned today.
This new system should be easier for administrators. Indeed, instead of trawling through an index page of static documents to locate specific information, Microsoft has presented its “Security Update Guidance” (through the “Go to dashboard” button) which will facilitate the search for detailed information about vulnerabilities, and security updates for Microsoft software: “Instead of publishing security bulletins describing the associated vulnerabilities, the new portal lets users search and view information about security vulnerabilities from a single database online” .
Bulletins for November 2016 through January 2017 are published to both the old index and the new guide. After January 2017, new Microsoft Security Bulletins will only be published in the new system dubbed the Security Updates Guide.
This new service should bring more flexibility to administrators, by allowing them to sort and filter to find details about a specific security bulletin and its associated updates. For example, it will be possible to filter by product category to find all updates that apply to Internet Explorer or Edge web browsers (see first screenshot below). It will also be possible to combine the criteria to display a list of critical updates only for Windows 10 version 1607. The requests will be made from a grid whose selection of additional criteria will allow to refine the filtering. Details regarding the vulnerability (including CVE numbers, severity ratings, and impact) are hidden by default but can be displayed by checking one or two checkboxes. Each entry of the grid contains links to the associated KB, details about the vulnerability and related software.
More specific information about the KB are available when you click on a product:
From this page administrators will have details on the products impacted by the KB and will be able to download the patch associated for the desired product:
To quickly obtain information about a specific vulnerability, it will be possible to search by CVE or KB number (see screenshot below):
When you click the CVE reference of the vulnerability, the displayed page describes the vulnerability and provides information about the affected products as well as the CVSS score:
This is the latest Microsoft's change after their decision to package updates into cumulative packages instead of delivering individual updates that can be accepted or discarded.