Starting on October 15, 2003, Microsoft began using a new process to distribute its security bulletins. Henceforth, security bulletins will be released on the second Tuesday of each month along with summary documents.
The base line for security bulletin information remains the same. Microsoft will still issue an individual security bulletin for each patch or update that it releases, using a new format that combines information from what used to appear in the bulletin itself and an accompanying knowledge base article. (Microsoft Security Bulletins remain available at www.microsoft.com/security/security_bulletins.) Also, the company will release monthly summaries for each product family for which bulletins have been released. For example, in October there were two summaries:
- Microsoft Windows Security Bulletin Summary for October 2003: covered bulletins MS03-041 through MS03-045
- Microsoft Exchange Server Security Bulletin Summary for October 2003: covered bulletins MS03-046 and MS03-047
The summary is intended to make it easy for administrators to access information about recent bulletins, to stay up-to-date on critical security updates and to make sure patches and updates can be scheduled on a timely basis.
Also, the content of individual bulletins will be beefed up, which Microsoft explains as follows: "... Microsoft will provide prescriptive guidance... including workarounds for all vulnerabilities where a workaround is feasible, risk-assessment for specific threats, and other information that will make it easier for customers to evaluate and deploy the patches. A Knowledge Base article for every patch will be created that will provide a link to the corresponding security bulletin without duplicating the same information." Feedback from customers makes it clear that "prescriptive guidance" is an important part in any security update, particularly in letting admins know the consequences of continued vulnerability and providing information about workarounds.
According to Microsoft's TechNet article "Revamping the Security Bulletin Release Process," this new process and improved content should produce tangible benefits. These include:
- Improved packaging and formatting: pulling all previous bulletin and KB article information together, making it easier for admins to access and process.
- Longer time between releases: allowing admins more time to consider, test, and deploy patches.
- Predictability: a regular schedule for updates allows admins to plan and schedule them into their routine activities.
- Additional guidance: by covering workarounds or alternative approaches, admins need not feel compelled to install patches "or else."
These changes are positive, both in terms of enhancing convenience, workflow, scheduling and in providing more guidance and information. It will be interesting to see if this new process works as Microsoft thinks it should. Subsequent updates to the October 15 bulletin summary on October 23 indicate that it's likely that the update process won't always be entirely smooth and predictable.
Thomas Alexander Lancaster IV is a consultant and author with more than 10 years experience in the networking industry, focused on Internet infrastructure.
This was first published in November 2003