Patch/Configuration Management, Vulnerability Management

Microsoft to offer more Patch Tuesday details in advance notifications

A new initiative from Microsoft will take some of the sting out of its Patch Tuesday security updates by offering additional information about the patches five days prior to their release.

While Microsoft informs administrators and end-users how many patches it plans to deliver and which platforms they affect, many security pros are left guessing just how significant the load will be.

The new advance notifications (ANS), scheduled to debut June 7, will contain maximum severity rating, vulnerability impact, detection information and affected software for each bulletin. They will not be grouped by platform.

"We’ve received positive feedback on the ANS, but customers have told us additional information would be even more helpful," Mark Miller of the Microsoft Security Response Center said Wednesday on the team's blog.

Johannes Ullrich, CTO of the SANS Internet Storm Center, told today that the changes will help organizations determine which fixes are most pressing.

"A lot of people use different patch schedules for ‘critical’ versus ‘important," he said. "Last week, they had five patches that were all [maximum severity rating of] critical. But you didn’t really know how many of the individual bulletins were critical."

Eric Schultze, chief security architect at Shavlik Technologies, told today that the more detailed pre-release announcements will not give away any information that may help hackers prepare an attack.

"Overall, it will be an aid to system administrators," he said.

Still, despite the additional information, organizations will not know the full extent of what awaits them until the patches are officially delivered, Ullrich said.

"What people are looking for is how much work it will take to apply these patches, and that’s always hard to predict until you see them," he said.

Microsoft also announced a planned security bulletin redesign that seeks to move pertinent information to the top of the advisory, eliminate repetitive content and compile the affected products in a table instead of a list.


Get more IT security news. Click here for SC Magazine Blogs.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.