Microsoft announced a new Security Guide to help cybersecurity professionals more quickly untangle relevant bugs in its monthly security bulletins.
Microsoft has updated its Security Update Guide, which is used by tens of millions of cybersecurity professionals the second Tuesday of every month, also known as Patch Tuesday. The update, according to Microsoft, is meant to deliver a more intuitive user experience.
For its latest update, introduced three weeks ahead of its Oct. 13 Patch Tuesday, Microsoft is boasting an improved user experience and a more modern user interfaces, better filtering and customization options for data views, and improved support for multiple languages.
The update is “to help protect our customers regardless of what Microsoft products or services they use in their environment,” according to a Microsoft Security Response Center blog post on Tuesday.
My team launched a thing today, proud of them! Our new and improved Security Update Guide is a major step forward for MSRC UX and dramatic improvement for our customers to more easily consume Microsoft security patch information. Check it out => https://t.co/bmfQ5KHQAg https://t.co/C2mrHwx9xu
— Matthew Dressman (@mdressman) September 22, 2020
Scott Caveza, research engineering manager at Tenable said the update was a plus. “All of the old functionality is there, and the new UI is more user friendly and intuitive, once you get used to the new format,” he told Threatpost. He added that the updated interface reduced the manual effort necessary to identify which patches apply to their systems.
“The best news is that they realize it needs improvement,” said Dustin Childs, communications manager with Zero Day Initiative. “It is nice to be able to select columns to view, but what is still missing is a snapshot overview of risk for a particular release. For example, on Patch Tuesday, my first question is how many of these bugs are under active attack? Which ones are publicly known? Which ones are severe and require special attention? That data is there, but it still takes some digging to get to it. Hopefully Microsoft will continue to improve the processes they use to communicate security patches. With the volume of patches they are releasing this year, they will certainly have ample opportunities to practice,” Childs said.
Microsoft has tinkered over the years with the way it delivers security updates to is vast product catalog. For instance, in 2017, Microsoft debuted a new system that introduced API support that would help customers automate some aspects of patching. The efforts have been met with a mix of cheers and jeers.
- A column-selector with export support to generate and download custom reports.
- Multiple tables with scenario-focused data views
- “Vulnerabilities” table, listing all CVE details.
- “Downloads” table, listing package-related information for security updates.
- “All” table, presenting the most data and customization options.
So far, some security professionals have been critical of the way the new Security Update Guide handles exporting data to spreadsheets.
The CVE also loses html – see the diff? pic.twitter.com/XBYL0R6Nvs
— SBSDiva (@SBSDiva) September 22, 2020
But others on Twitter see it as a big improvement.
Huge improvement – good job!
— Duncan McCormack (@DuncanMcCNZ) September 22, 2020
“The ability to group updates by CVE is wonderful,” Caveza said. “A lot of security personnel target vulnerabilities in their patching, and the new Vulnerabilities tab really helps with that. The Deployments section also notes which updates require reboots and if any known issues have been identified, both of which are key details that any system administrator can appreciate. With the new guide, scheduling and planning for deployments may be much easier and more streamlined by having these key details in one place.”
(This article was updated 9/22 with quotes from Scott Caveza and Dustin Childs at 2:22 pm ET)