Microsoft this week retired the security bulletins that for decades have described each month's slate of vulnerabilities and accompanying patches for customers -- especially administrators responsible for companies' IT operations.
One patch expert reported on the change for his team. "It was like trying to relearn how to walk, run and ride a bike, all at the same time," said Chris Goettl, product manager with patch management vendor Ivanti.
The move to a bulletin-less Patch Tuesday brought an end to months of Microsoft talk about killing the bulletins that included an aborted attempt to toss them.
Microsoft announced the demise of bulletins in November, saying then that the last would be posted with January's Patch Tuesday, and that the new process would debut Feb. 14. A searchable database of support documents would replace the bulletins. Accessed through the "Security Updates Guide" (SUG) portal, the database's content can be sorted and filtered by the affected software, the patch's release date, its CVE (Common Vulnerabilities and Exposures) identifier, and the numerical label of the KB, or "knowledge base" support document.
SUG's forerunners were the web-based bulletins that have been part of Microsoft's patch disclosure policies since at least 1998. Microsoft did such a good job turning out those bulletins that they were considered the aspirational benchmark for all software vendors.
In February Microsoft canceled that month's Patch Tuesday just hours before the security updates were to reach customers, making the bulletins' planned demise moot. Microsoft kept the bulletins the following month as well, saying it wanted to give users more time to prepare for the change to SUG.
Finally, when Microsoft yesterday shipped cumulative security updates for Windows, Internet Explorer, Office and other products, it omitted the usual bulletins.
Goettl, who had withheld his final appraisal as Microsoft kept postponing the bulletins' passing, was not terribly impressed with the SUG substitute.
Earlier this year, Goettl said today, he had reserved judgment, but noted that the SUG portal had "some great capabilities." Yet he was undecided whether it would be able to deliver the same quantity and quality of information as the bulletins, without burdening administrators with more work.
"I was on the fence, but hopeful that we would get the same level of detail," he said.
While most of the information packed into the earlier bulletins remained available through SUG by digging into the numerous online documents, Goettl acknowledged, there was a big difference in accessibility.
"This month there were 46 vulnerabilities resolved by Microsoft," Goettl explained. "It took me about four hours to do the research [in SUG] that I would normally do with the bulletins. But last month, with 136 vulnerabilities, it took me only two hours. So [with the bulletins] I was able to do three times the amount of research in half the time."
Goettl blamed Microsoft for the additional time it will take for IT and security administrators to root through the information. Because the database's foundation were CVEs -- the identifiers for each discrete vulnerability -- he had to open scores of pages in his browser to reveal information about the Windows 10 flaws Microsoft had patched.
"You used to go to a bulletin page, say for Windows 10, and there were the vulnerabilities being resolved and the related KB pages, all in one place," said Goettl. "But this month, because there were 26 [patched] vulnerabilities in the Windows 10 cumulative update, I had to open 26 web pages. I had to open every CVE page.
"So that was a little disappointing," he said.
Goettl was stumped by one question today. "I don't know why it made any sense for them [to drop the bulletins]," he said when asked to speculate on Microsoft's motivation for the change. Earlier today, Goettl had led a free webinar on Microsoft's security updates for the month -- a standard practice for Ivanti -- and said many of the participants shared his take.
"They were all scratching their heads, wondering why Microsoft made it harder to find stuff."
He remains hopeful Microsoft will listen to customers and make changes to SUG. "There needs to be some refinement. This can't be the end of this," Goettl argued.
In the meantime, Ivanti created what Goettl called "artificial bulletins" from the information in SUG for customers using the Shavlik patch management systems. (Shavlik was one of several firms acquired by LANDesk; the latter, in turn, rebranded itself as Ivanti in January.) Goettl said that customers of other legacy systems under the Ivanti brand would get a similar workup from the vendor.