Microsoft has come under criticism after debuting a new version of its Security Update Guide (SUG), featuring a revised look that detractors say sacrifices usability and clarity for a more streamlined format.
Previous installments of SUG articles contained vulnerability entries consisting of several written sentences describing a bug’s source, its category and complexity, how an attacker could exploit the flaw, and how the problem was fixed. These summaries have now disappeared in favor of a spreadsheet-like table that describes a vulnerability’s various attributes using primarily one-word terms that correspond to official terminology from the Common Vulnerability Scoring System (CVSSv3) standards.
In a blog post yesterday, Lisa Olson, senior security program manager with the Microsoft Security Response Center, argued that the new format includes all of the same information, and more, that the previous one did – just not in so many words.
For instance, while the old version might say: “To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application,” the new format would simply read: “Attack Vector: Local.” And instead of saying “The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory,” the new version would succinctly state: “Official Fix.”
Olson said in the blog post that there actually “wasn’t much to” having all those extra words in the old description, “though they were comforting.” The information provided in the new version “contains all sorts of more useful information,” including if a bug’s scope is changed.
But some security experts aren’t buying it, insisting that the extra context in the old iteration was helpful, especially for those who aren’t security professionals intimately familiar how the CVSS system works.
“While a CVSS score is sufficient for some bugs, many require a description to let customers know the risk from a CVE. Removing the description benefits no one,” said Dustin Childs, communications manager with Trend Micro’s Zero Day Initiative. “What’s missing is information on how an attacker might use the bug, the impact of a successful attack, and how the patch fixes the vulnerability. For some bugs, this is obvious. For others, it’s not clear at all. Network defenders need those questions answered to determine the risk to their enterprise.”
Bob Huber, chief security officer at Tenable, also looks unfavorably upon the change, calling it a “bad move, plain and simple.”
“By relying on CVSSv3 ratings alone, Microsoft is eliminating a ton of valuable vulnerability data that can help inform organizations of the business risk a particular flaw poses to them,” said Huber. “With this new format, end users are completely blind to how a particular CVE impacts them. What’s more, this makes it nearly impossible to determine the urgency of a given patch. It’s difficult to understand the benefits to end users.”
For other software developers, there is a lesson in this: “Vendors should be as transparent as possible when it comes to describing their security patches,” said Childs. “By having no descriptions, they are asking customers to make significant changes to their systems with no indication of what those changes might be. In some instances, the titles are so vague, it’s not even clear which component is affected. If you want customers to trust your patches and just apply them without question, it helps to be trustworthy to begin with.”
Lamar Bailey, senior director of security research at Tripwire, agreed that SUG’s streamlined format detracts from its usability, noting that the new format is more consumer-friendly than corporate-friendly.
“Microsoft is moving towards a model that works well for consumers by just giving them one patch to install and limited details that many people would not understand or care about. But they are doing a disservice to other customers,” Bailey explained. “Organizations cannot just patch on a whim – the sysadmins need to evaluate the vulnerabilities and prioritize the updates based on a risk assessment. Patching windows systems and services can cause outages that cost organizations time and money.”
Ultimately, companies may have to rely more heavily on third-party expertise for vulnerability evaluations, if Microsoft does not supply sufficient context and data, he added.
And while a well-informed security professional might look at a bug entry in the Microsoft's revised SUG and quickly understand how the CVSS-based table translates to overall risk assessment, not everyone in your organization is equipped to do that, experts remarked.
“Microsoft also must consider that many folks who review Patch Tuesday releases aren’t security practitioners, said Huber. “They are the IT counterparts responsible for actually applying the updates who often aren’t able to, and shouldn’t have to, decipher raw CVSS data.”
"They need to consider their audience,” agreed Chris Goettl, senior director of product management, security, at Ivanti. "I think they have only considered the security analyst in this case, but the operations admin who actually needs to do the patching could use this context as well and is not as comfortable with reading the CVSS format and quickly able to interpret to understand what it all means.”
“One of the significant challenges for organizations is bridging the language barrier between security and operations," Goettl continued. "Security Analysts often struggle to make their recommendations understood to the business and this causes the delays that keep companies exposed. This change is a step back on bridging that very critical gap."
Goettl said Microsoft's old vulnerability descriptions "gave the operations admin the context they need to understand how an attack may be used against their environment.” For instance, a bug entry that simply states "User Interaction: Required” isn’t nearly as helpful to an operations admin as clarifying that the attacker must convince a user to open a specially crafted file or click a link to a malicious website.
"A security analyst can probably make some assumptions and come to a close approximation of how that vulnerability could be used, but an operations admin... or application owner who has very limited understanding of how any of this works may never gain the level of understanding that we really need them to gain," Goettl explained.
Huber said Microsoft's change in format could potentially even benefit malicious actors. “They’ll reverse engineer the patches and, by Microsoft not being explicit about vulnerability details, the advantage goes to attackers, not defenders,” he said. “Without the proper context for these CVEs, it becomes increasingly difficult for defenders to prioritize their remediation efforts.”
Goettl recommended that Microsoft consider readjusting its thinking and adopt a hybrid of it old and new format, keeping the CVSS data but adding more context when needed.
SC Media reached out to Microsoft for comment and was directed by a spokesperson back to Olson’s blog post, which said Microsoft is “demonstrating its commitment to industry standards by describing the vulnerabilities with the Common Vulnerability Scoring System (CVSS). This is a precise method that describes the vulnerability with attributes such as the attack vector, the complexity of the attack, whether an adversary needs certain privileges, etc.”
Yesterday, Microsoft released patches for 112 unique common vulnerabilities and exposures (CVEs), 17 of which were considered critical.