With the previous technique of patching now fully gone—October’s patchocalypse eradicated particular person patches from each Home windows model—Microsoft has introduced that the documentation to accompany these patches is in for a major change. Most notable, Safety Bulletins will disappear, changed by a prolonged record of patches and instruments for slicing and dicing these lists.
Safety Bulletins return to June 1998, when Microsoft first launched MS98-001. That and all subsequent bulletins referred to particular patches described in Information Base articles. The KB articles, in flip, have detailed descriptions of the patches and lists of recordsdata modified by every patch. The Safety Bulletins function an outline of all of the KB patches related to a particular safety downside. Some Safety Bulletins record dozens of KB patches, every for a particular model of Home windows.
The Safety Bulletin system is archaic and has led to all types of foolish conclusions. As the amount of month-to-month patches has grown into the a whole lot, it’s additionally turn out to be unwieldy. I groan after I learn a headline that claims, “This month is a very heavy patching month as a result of there are xx extra Safety Bulletins than standard,” or “We’ve x Safety Bulletins, of which y are rated Vital and z Necessary.” The numbers and rankings don’t matter. Microsoft’s dumping the artifice created by the Safety Bulletins, and to that I say good riddance. The KB system stays, uniquely figuring out particular person patches, however they’re going to be knitted collectively otherwise.
Beginning in January, we’ll have two lists—or, extra precisely, two methods of viewing a grasp desk.
- The Safety Updates Information lists Safety-only updates—every KB articles—and identifies it by product. For Web Explorer and Edge, the Information lists each the product and the platform (for instance, Edge for Win10 model 1607). You possibly can view the month-to-month launch notes (a really abbreviated model of the previous Safety Bulletin), and you’ll seek for particular safety holes by CVE quantity.
- The Software program Replace Abstract lists safety patches by KB quantity.
Understand that we’re solely speaking about safety patches and the safety a part of the Home windows 10 cumulative updates. Nonsecurity patches and Win7/eight.1 month-to-month rollups are outdoors of this dialogue.
To see the place that is going and to know why it’s vastly superior to the Safety Bulletin method, have a look at the lists for November eight, this month’s Patch Tuesday. The primary Home windows Replace record reveals web page after web page of safety bulletins, recognized by MS16-xxx numbers, and people numbers have turn out to be ambiguous. See, for instance, MS16-142 on that record, which covers each the Safety-only replace for Win7, KB 3197867, and the Month-to-month rollup for Win7, KB 3197868. The MS16-142 Safety Bulletin itself runs on for a lot of pages.
Now flip over to the Safety Updates Information. Within the filter field sort
home windows 7 and press Enter. You see 4 safety patches (screenshot beneath): IE11 and Home windows, each 32- and 64-bit. They’re all related to KB 3197867.
Within the Software program Replace Abstract, looking for “home windows 7” yields just one entry, for the relevant KB quantity (screenshot beneath).
Right here’s why the instruments are necessary. On this month’s Patch Tuesday, we obtained 14 Safety Bulletins. These Safety Bulletins really include 55 totally different patches for various KB numbers; the Safety Bulletin artifice teams these patches collectively in numerous methods. The 55 totally different safety patches really include 175 separate fixes, once you break them out by the supposed platform.
There’s an entire lotta patchin’ goin’ on.
Beginning this month, you’ll be able to have a look at the patches both individually (within the Safety Updates Information) or by platform (within the Software program Replace Abstract), or you’ll be able to plow via these Safety Bulletins and attempt to discover the patches that concern you. Beginning in January, per the Microsoft Safety Response Middle, the Safety Bulletins are going away.
In fact, the satan’s within the implementation particulars, however all in all this appears to me like an affordable response to what has turn out to be an untenable scenario.