With the old method of patching now completely gone—October’s patchocalypse eliminated individual patches from every Windows version—Microsoft has announced that the documentation to accompany those patches is in for a significant change. Most notable, Security Bulletins will disappear, replaced by a lengthy list of patches and tools for slicing and dicing those lists.
Security Bulletins go back to June 1998, when Microsoft first released MS98-001. That and all subsequent bulletins referred to specific patches described in Knowledge Base articles. The KB articles, in turn, have detailed descriptions of the patches and lists of files changed by each patch. The Security Bulletins serve as an overview of all the KB patches associated with a specific security problem. Some Security Bulletins list dozens of KB patches, each for a specific version of Windows.
The Security Bulletin system is archaic and has led to all sorts of silly conclusions. As the volume of monthly patches has grown into the hundreds, it’s also become unwieldy. I groan when I read a headline that says, “This month is a particularly heavy patching month because there are xx more Security Bulletins than usual,” or “We have x Security Bulletins, of which y are rated Critical and z Important.” The numbers and ratings don’t matter. Microsoft’s dumping the artifice created by the Security Bulletins, and to that I say good riddance. The KB system remains, uniquely identifying individual patches, but they’re going to be knitted together differently.
Starting in January, we’ll have two lists—or, more accurately, two ways of viewing a master table.
- The Security Updates Guide lists Security-only updates—each KB articles—and identifies it by product. For Internet Explorer and Edge, the Guide lists both the product and the platform (for example, Edge for Win10 version 1607). You can view the monthly release notes (a very abbreviated version of the old Security Bulletin), and you can search for specific security holes by CVE number.
- The Software Update Summary lists security patches by KB number.
Keep in mind that we’re only talking about security patches and the security part of the Windows 10 cumulative updates. Nonsecurity patches and Win7/8.1 monthly rollups are outside of this discussion.
To see where this is going and to understand why it’s vastly superior to the Security Bulletin approach, look at the lists for November 8, this month’s Patch Tuesday. The main Windows Update list shows page after page of security bulletins, identified by MS16-xxx numbers, and those numbers have become ambiguous. See, for example, MS16-142 on that list, which covers both the Security-only update for Win7, KB 3197867, and the Monthly rollup for Win7, KB 3197868. The MS16-142 Security Bulletin itself runs on for many pages.
Now flip over to the Security Updates Guide. In the filter box type
windows 7 and press Enter. You see four security patches (screenshot below): IE11 and Windows, both 32- and 64-bit. They’re all associated with KB 3197867.
In the Software Update Summary, searching for “windows 7” yields only one entry, for the applicable KB number (screenshot below).
Here’s why the tools are important. On this month’s Patch Tuesday, we received 14 Security Bulletins. Those Security Bulletins actually contain 55 different patches for different KB numbers; the Security Bulletin artifice groups those patches together in various ways. The 55 different security patches actually contain 175 separate fixes, when you break them out by the intended platform.
There’s a whole lotta patchin’ goin’ on.
Starting this month, you can look at the patches either individually (in the Security Updates Guide) or by platform (in the Software Update Summary), or you can plow through those Security Bulletins and try to find the patches that concern you. Starting in January, per the Microsoft Security Response Center, the Security Bulletins are going away.
Of course, the devil’s in the implementation details, but all in all this seems to me like a reasonable response to what has become an untenable situation.