Microsoft is receiving mixed reviews for its shift to delivering security update information via its newly launched Security Update Guides.
The change was official in April, with Microsoft explaining it would allow system administrators to effectively pair specific patches with vulnerabilities, and that the introduction of API support would help customers automate some aspects of patching.
After this week’s release of patches, however, the jury is still out when it comes to liking or loathing the new format. For starters, some critics argue it takes longer to parse the data delivered via Security Update Guides.
“I typically spend two to three hours to read through and determine what updates need to go to our systems, document, etc. I spent a solid eight hours trying to make sense of everything today and get it organized, and I’m not close to being finished,” wrote a Tech Net community member on a forum where Microsoft is soliciting feedback on the new format. Other gripes include broken third-party patching tools reliant on the way Microsoft’s old security bulletins presented data, and Security Update Guide glitches that make using the tool more difficult.
On the plus side, security experts say the new focus on Common Vulnerabilities and Exposures (CVE) is refreshing, making it easier to prioritize critical fixes and ignore products that are not relevant to a company. They also argue support for APIs in the long run will make the regular Patch Tuesday release of vulnerability data more pliable and useful.
“I think it is more aligned with the continuous update model Microsoft has been rolling out over the past year,” said Allen Falcon, CEO of Cumulus Global, IT solution provider and Microsoft partner. “I think it’s easier to read and better communicates the flaws relevant to my customers.”
Security professionals and system administrators alike have had time to adjust. Microsoft told customers about the switch in November; Microsoft had planned the switchover for February’s Patch Tuesday, but when that update was postponed, the changeover was rescheduled for April.
The biggest changes include no longer publishing security updates on the Microsoft Security Bulletin website and instead on a new site called Security Update Guide. Differences include new sorting capabilities that allows users to filter vulnerabilities and updates by things such as CVEs, KB numbers, products and release dates.
The idea, Microsoft said, is to allow users to filter out products that don’t apply to them and more easily find updates relevant to the products they use.
To help accomplish this, Microsoft is leveraging a new RESTful API to obtain security update information and share it. “This eliminates the need for you to employ outdated methods like screen-scraping of security bulletin web pages to assemble working databases of necessary and actionable information,” according to a Nov. 8 TechNet blog post.
When asked to respond to critics regarding the update, Microsoft declined to answer specific Threatpost questions and released the statement:
“The new portal gives customers access to all the information they had before in a customizable way, ensuring transparency with our releases and providing tools that enable more personal computing,” a Microsoft spokesperson wrote.
The switch to Security Update Guides is the latest change that is part of Microsoft’s overhaul in how it delivers software updates and security patches that began last year.
In October, Microsoft introduced its new patch process for Windows 7 and 8. The move was an effort to streamline patching to more closely match how Microsoft delivered updates to Windows 10. That method, referred to as Windows as a service, has also been welcomed and feared by sysadmin.
“Unfortunately, Microsoft has a track record that includes releasing faulty patches and ones that can break mission critical systems,” said Joe Balsarotti, president of Software To Go, an IT solution provider and Microsoft partner. He said a bad update can cost tens of thousands of dollars in time and money if he has to roll back systems and fix problems caused by a bad patch.
Balsarotti said the move to Security Update Guides goes hand in hand with the cumulative roll-up model.
The new information and delivery of updates is geared more toward automation and supports APIs to download information into a structured format. That allows sysadmin to create their own scripts and programs for parsing Patch Tuesday data.
“People do not want to think about individual patches anymore; they just want to know they are safe,” said Aamir Lakhani, global security strategist for Fortinet. “Things have changed. Microsoft is following operating systems such as OS X, Google Chromium OS, iOS, where systems are updated, not individual patches. Applications have been using this method for a long time. When you update Firefox, Adobe Reader or most other applications, you get one single file with all the security updates and patches.”
Gone are Microsoft Security Bulletins that used to group information on related vulnerability, products and KBs together to give a holistic view of updates being released on Patch Tuesday, said Amol Sarwate, director of engineering at Qualys.
“In March 2017, Microsoft released 18 security bulletins in the old format which in my opinion are easy to understand as compared to the 1,774 items that were downloaded in a spreadsheet using the new security update guide for the same month,” Sarwate said.
Greg Wiseman, Senior Security Researcher at Rapid7, argues with the introduction of API support system administrators can be used to custom configure patching data however they see fit.
“In the short to medium term, I expect security teams will develop tools and processes based on API that can replicate the Patch Tuesday summaries that Microsoft used to provide,” Wiseman said. “The API makes it easier to develop such tools, and we may find this ease of development leads to a wider array of useful, more flexible utilities.”
