Saturday, May 4, 2024
Latest:

Computer Security Articles

RSS Reader for Computer Security Articles

ComputerWorld Independent 

IDG Contributor Network: Massive change to a moderate Patch Tuesday

admin ,

Credit to Author: Greg Lambert| Date: Fri, 14 Apr 2017 09:02:00 -0700

Last month, we had the largest ever release of patches and updates from Microsoft.

This month, we see the biggest change to Patch Tuesday since the first updates were released on the second Tuesday in October 2003, starting with MS03-041. Security bulletins with easy to follow formats like MSyy-xxx are no longer published by Microsoft as of April 2017.

Now, we have the Microsoft Security Update Guide which is defined by Microsoft as the “authoritative source of information on our security updates.” The MSUG is a searchable database of patches and updates that offers some basic queries and filtering. In addition to this database-driven approach, Microsoft has published summary release notes for April 2017 that can be found here. Helpfully, this summary outlines that the following technologies are updated for April:

I applaud Microsoft for following industry best practices and for moving their patch documentation and release notes to the CVRF format. Unfortunately, with the present state of the MSUG, I can’t really match up the CVRF format with patches in a systematic manner.

Over the past 15 years, Microsoft has set the gold standard in communications with its Patch Tuesday approach and this new format has raised some concerns and dissenters. The new Microsoft CVRF format supports queries through a Restful API and eventually most third-party vendors and other IT pro’s will develop the tools necessary to test and deploy Microsoft patches with the level of granularity and control that today’s enterprises need to manage large, disparate and heterogeneous environments. Just not today.

If you are stuck trying to figure out what just happened on this April Patch Tuesday, you can still reference all the Windows platform update histories found here:

If you are desperate, you can try to match up the CVE entries with updates in the Security TechCenter acknowledgment page.

The IT world is changing and Microsoft is responding. To quote Steve Daly from Ivanti:

“The IT industry has undergone a major transformation in the last few years. We’ve seen the IT department’s responsibilities evolve from maintaining desktop computers to managing all sorts of devices and other IT assets, both hardware and software, in a number of varied environments. We’ve also seen an explosion in the number and variety of security threats. With these changes comes added cost, risks, and the need for a new approach.”

Hopefully, despite the initial teething problems with the new CVRF format, Microsoft is the vanguard for this new approach.

This article is published as part of the IDG Contributor Network. Want to Join?

http://www.computerworld.com/category/security/index.rss