Microsoft's April Patch Tuesday finally revealed the company's new approach in rolling out and informing the industry on the security updates for the month and at best has received mixed reviews from several industry insiders.
When April's security updates were posted last week by Microsoft, admins found an entirely new beast compared to what they had grown accustomed to over the last 15 years. This was not a shock as Microsoft had announced last fall that it would be taking a different approach with Patch Tuesday – replacing its Microsoft Security Bulletin website with the Security Updates Guide. The switchover originally was slated for February, but when that update was cancelled it was pushed back two months to April.
The primary changes made were improved search, the ability to filter out unwanted products, and its use of the RESTful API.
Amol Sarwate, director of engineering at Qualys, and a monthly commentator on Microsoft's Patch Tuesday offerings, gave the new look an overall thumbs up.
“The most recent change, which involves replacing 'Security Bulletins' with the new 'Security Update Guide' portal offers better search and API capabilities. However, it does not offer consolidation of that information into simple, easily digestible groups that give readers a holistic view of the monthly updates,” he told SC Media.
Cris Thomas, a strategist with Tenable, said it's understandable that there might be some pushback against this new methodology, but in the end the point is to eliminate cybersecurity risks in the most efficient way possible.
“This new portal should make it easier for many people to integrate Microsoft security information into other security products to help organizations better understand their networks and exposure, and hopefully result in a safer world for everyone,” he said.
However, not everyone is on board with the supposed user friendliness of the new system.
Chris Goettl, a product manager with Ivanti, said he was at first quite impressed with the portal's appearance and new features, but once the changeover took place his impression quickly soured. For one, he described a scene where his display was covered with open vulnerability pages.
“In March, on the bulletin system, I was able to research the 136 vulnerabilities across 18 bulletins in March in about two hours 30 minutes. In April, I was researching 46 vulnerabilities and it took nearly four hours. At one point, I had all 46 vulnerability pages open at one time to find the information I needed,” Goettl said.
He added that the new system has eroded the granular control that was previously available – using as an example that in the March update Microsoft had broken out Internet Explorer out of the 'security only' updates. This asset gave companies more control over what to install. In fact, if he were given Microsoft's ear on the subject this would be one of his recommendations on how to improve how it handles patches.
“I would suggest a Security Only option for Windows 10 and Server 2016, break IE out for the Security Only there as well. Organize the vulnerabilities under a parent KB in the new “bulletinless” model so it is easier to know what all vulnerabilities apply to a KB,” Goettl said.
Sarwarte also had a suggestion. “I would like to see the new 'Release Notes' be enhanced so that CVEs with related priorities, exploit statuses and other factors are clubbed together to give security practitioners a consolidated view of the monthly updates for ease of prioritization,” he told SC.