Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's Security Bulletins Will End In February (computerworld.com)

Posted by EditorDavid on from the cumulative-casualties dept.

Remember how Microsoft switched to cumulative updates? Now Computerworld points out that that's bringing another change. An anonymous reader quotes their report: Microsoft next month will stop issuing detailed security bulletins, which for nearly 20 years have provided individual users and IT professionals information about vulnerabilities and their patches... A searchable database of support documents will replace the bulletins; that database has been available, albeit in preview, since November on the portal Microsoft dubbed the "Security Updates Guide," or SUG. The documents stored in the database are specific to a vulnerability on an edition of Windows, or a version of another Microsoft product. They can be sorted and filtered by the affected software, the patch's release date, its CVE identifier, and the numerical label of the KB, or "knowledge base" support document.
Redmond Magazine reports that Microsoft still plans to continue to issue its security advisories, and to issue "out-of-band" security update releases as necessary.

39 comments

  1. Anybody used the new REST API? by raymorris · · Score: 1

    Has anyone used the new REST API they are replacing bulletins with? I've had trouble finding information about it, other than being told it's in no way RESTful.

    1. Re:Anybody used the new REST API? by Anonymous Coward · · Score: 0

      REST is dumb.

      The HTTP request methods that are ignored outside of REST are ignored for a reason: POST replaces them all.

      GET = shows parameters in URL, bad for caching, may cause security problems
      POST = parameters in body keep caching and security issues to a minimum
      PUT = file uploads

      everything else = useless because POST can do it already

      Then there's the "new" definition of "RESTful API": "Not SOAP". That's what they were probably trying to convey by calling it RESTful.

    2. Re: Anybody used the new REST API? by Anonymous Coward · · Score: 0

      You don't like HEAD?

  2. Ah yes by Anomalyst · · Score: 1

    Change for the sake of change, lacking any legitimate reason (aside from additional revenue, I have no doubt access is replete with [self aggrandizing] banners and such). It's not better, just different..

    --
    There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
    1. Re:Ah yes by Anonymous Coward · · Score: 3, Informative

      It is better, you can access it across REST API, integrate your own interface and watch exactly what you want to watch. We are looking at integrating it into our alerting system to trigger alerts for individual teams based on their area of responsibility. This is much better than trawling through bulletins.

    2. Re:Ah yes by Anonymous Coward · · Score: 0

      The only thing that could possibly make this a positive, is if combining the security patches with the rest of the things they're putting in -- no doubt more spyware/telemetry bullshit -- helps to obfuscate reverse engineering the security fixes. Ideally, the implementations should be described in detail, though, so they're being held accountable to the quality of their fixes. As if this has ever happened, though.

    3. Re:Ah yes by jellomizer · · Score: 3, Insightful

      So offload the work from people who are security and system administration midended and dump it on the other teams who are focused on meeting the business objectives. So this way more security holes get put in but that is fine because it is the other departments fault.
      Just because the staff may have the ability to monitor such stuff it doesn't mean they have the time and resources to actually do the job.
      Hey it may work at your organization but you are crossing on of the pet peeves I have at may work where the System Administration dumps edicts and their jobs to the App teams while the App teams also have a full work load.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    4. Re:Ah yes by arglebargle_xiv · · Score: 3, Funny

      Change for the sake of change, lacking any legitimate reason

      There's a perfectly legitimate reason for doing this. As everyone knows, Windows 2000^H^H^H XP^H^H^H Vista^H^H^H 7^H^H^H 8^H^H^H 10 is the most secure version of Windows ever, so there's no need for security bulletins any more because it's so secure.

    5. Re:Ah yes by Anonymous Coward · · Score: 0

      Sounds like you have a very chaotic and disorganized environment.

    6. Re:Ah yes by ElizabethGreene · · Score: 1
      Security bulletins aren't a great way to track how secure or insecure software is. The best way to do that is with the CVE system. Microsoft (and most other vendors) log publicly and privately reported vulnerabilities as CVEs and link to the CVE when describing vulnerabilities.

      My hope is that this change will eliminate some of the pain of running down security bulletin data. Right now if someone asks you if you are patched against MS16-040 you have to go look that up, look up each individual KB inside that, see which ones have been superseded by other updates and check that against your CMDB. Making that simpler would be a win-win.

      Full disclosure, I work for Microsoft as a dedicated PFE. The above is my opinion and hope, not paid shilling.

    7. Re:Ah yes by arglebargle_xiv · · Score: 1

      It depends on how they track the issues. At the moment when you're offered update XYZ, which always comes with zero information as to what it does ("this is to address security and stability issues" or whatever), you can click on a link, and then another link, and then scroll down, and then expand some text, and them click on yet another link, and maybe find out what it is the update is addressing. If you can still go from totally-zero-information to at least some information, whether it's a bulletin or CVE, then that's fine. However it seems like what this is announcing is the removal of even the current hard-to-find information about what an update actually does, which is also in line with MS's ongoing policy of removing user control over updates.

    8. Re:Ah yes by Anonymous Coward · · Score: 0

      MS16-120 is also another great example of a bulletin with a dozen KB #s tied to it.

      I look forward to this new setup, should make comparing Patch results with tools like Nexpose much easier.

      Now MS just needs to get going on bring the older fixes into the fold.

  3. What ?? by ddtmm · · Score: 3, Funny

    I have no idea what this means

    1. Re:What ?? by SeaFox · · Score: 2

      I have no idea what this means

      Sounds like beginning in February, you'll be able to use that line a whole lot more -- as to why an update was sent out.

  4. Abuse? by Anonymous Coward · · Score: 2, Funny

    It's Microsoft, so it is probably a way of delivering abuse.

    1. Re:Abuse? by poofmeisterp · · Score: 1

      It's Microsoft, so it is probably a way of delivering abuse.

      ...so fixes can be out out so they can be abused... so...

  5. SUG? by Anonymous Coward · · Score: 0

    Well, that sugs...

    1. Re:SUG? by Anonymous Coward · · Score: 0

      Hehe, suspect they didn't check that acronym with their swedish employees.

      Literally "suck" in imperative form.

  6. How does this profit Microsoft? by mmell · · Score: 4, Insightful
    It's going to cost enterprises money to adapt to this change - whether it's for the better or not - because they have to spend time and effort evaluating and redesigning their patch and security management stances.

    OTOH, they did manage to make the famous "patch Tuesday" and equally infamous "exploit Wednesday" go away . . . then again, nowadays it seems like every day is "exploit Wednesday".

  7. Microsoft keeps on forking things up. by Anonymous Coward · · Score: 0

    Microsoft, why do you hate your users?

    If you make something that works perfectly fine, and people like it, why change it?

    1. Re:Microsoft keeps on forking things up. by Anonymous Coward · · Score: 0

      Why do they change it?

      Because they can.
      Don't most computers these days run windows?
      What's that? They don't?
      Ok lets fiddle while Redmond burns (and the FOSS world cheers).

  8. Detailed? by aliquis · · Score: 5, Insightful

    All I've ever seen in Windows is kinda "we've patched a bug in Windows ..." and then you could click some link and then you got about the same information and no real details whatsoever.

    Maybe a bit more detail than what I said but .. nothing really worth mentioning or interesting.

    1. Re:Detailed? by Anonymous Coward · · Score: 0

      Time was when the information one read actually amounted to something. But you are lucky if there is anything on the 'more info' link at all. Mostly it seems to go to a 'not found... try searching'. But if they have broken up their testing teams and distributed the development and maintenance activities across the organization it is no surprise. Every imposed patch cycle is an adventure...

    2. Re:Detailed? by Motherfucking+Shit · · Score: 1

      Usually the "This update fixes yet another gaping hole that will allow anyone to take over your computer" blurb contains a reference to a vulnerability ID like "MS17-004," and then it's on you to go searching for the detailed bulletin. It's a pain in the ass but the details are out there.

      --
      "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
    3. Re:Detailed? by aliquis · · Score: 1

      Maybe this is the stuff I've seen?
      https://support.microsoft.com/...

    4. Re:Detailed? by Anonymous Coward · · Score: 0

      even the windows 10 "free upgrade" as shown to windows 7 and 8 users through windows update simply said "this update resolves issues in windows.." saying absolutely nothing about what the update actually was or the hell you and your computer would suffer if installed.

    5. Re:Detailed? by aliquis · · Score: 1

      The worst window "feature" of them all is the fucking enforced reboot of your machine to install their damn upgrades.

    6. Re:Detailed? by ayesnymous · · Score: 1

      They used to provide very detailed patch bulletins, but they stopped doing it maybe 5 or so years ago.

  9. Not that I care by butzwonker · · Score: 2, Insightful

    On my Windows 7 machine, every cumulative security update since last October has failed anyway. I was told that it might have to do with the fact that it's a dual boot system. Be that as it may, since I use Linux for main work it doesn't matter that much, I will just make sure that I never use Windows for any payments or passwords and let Windows slowly 'phase out'. (Unfortunately, I cannot give it up entirely, because I'm using a lot of commercial Windows-only audio software.)

  10. They should rather fix Windows Update by Anonymous Coward · · Score: 0

    Still can't install the December patches...as is the case with many other users.

  11. Not surprising by quonset · · Score: 3, Insightful

    With each iteration of Windows Microsoft has made it more and more difficult to find and change settings on your own machine, even going so far as to move settings from one area they've been in for the longest time to a completely different and unrelated section

    Now comes the updates. In the past one could easily find what the update entailed by reading the update itself (not always helpful) or by clicking the link Microsoft provided. Instead of that easy process one will now have to jump through hoops to find what they want.

    Considering how often we hear Microsoft's software is supposed to make life easier, they sure seem to be going out of their way to make it more difficult.

    1. Re:Not surprising by poofmeisterp · · Score: 1

      With each iteration of Windows Microsoft has made it more and more difficult to find and change settings on your own machine, even going so far as to move settings from one area they've been in for the longest time to a completely different and unrelated section

      Now comes the updates. In the past one could easily find what the update entailed by reading the update itself (not always helpful) or by clicking the link Microsoft provided. Instead of that easy process one will now have to jump through hoops to find what they want.

      Considering how often we hear Microsoft's software is supposed to make life easier, they sure seem to be going out of their way to make it more difficult.

      I think the second line sentences are a way of saying, "A way for Microsoft 'to just get you to install their fucking update or whatever they call an update and stop spending time finding out what it is and making choices as to whether or not you want them. Just fucking do it, already.'"

      Am I wrong? :)

  12. When MSFT backported their spying .... by Anonymous Coward · · Score: 0

    When MSFT backported their spying, I stopped using Windows, stopped patching and started limiting what that machine could do online, to only getting TV schedules. It is a Win7 media center used just to record OTA TV. It is not used to watch any TV, recordings, music and not used for surfing.

    Life has been much easier since switching mainly to Linux. I don't worry much about an OS vendor spying or modifying the OS to bypass normal network controls. With Linux, the power is in MY hands.

  13. Re: Anyone still hack windows? by Anonymous Coward · · Score: 0

    The headline should be:
    "Microsoft saves millions in restructuring costs"

  14. Backwards, POST can't be cached, GET can by raymorris · · Score: 2

    Probably a typo, you listed it backwards. GET is cacheable, POST is not, by definition.

    GET puts the parameters in the URL specifically so that a cache can return the proper resource based on the URL - users.doc?page=2 will return the second page of users.

    POST *creates* something on the server or otherwise alters it, so just returning a cached response without sending the post to the origin isn't the same at all. You can't cache create_user.do, you actually have to send the command to the server each time you want to create a user.

    1. Re:Backwards, POST can't be cached, GET can by poofmeisterp · · Score: 1

      Probably a typo, you listed it backwards. GET is cacheable, POST is not, by definition.

      GET puts the parameters in the URL specifically so that a cache can return the proper resource based on the URL - users.doc?page=2 will return the second page of users.

      POST *creates* something on the server or otherwise alters it, so just returning a cached response without sending the post to the origin isn't the same at all. You can't cache create_user.do, you actually have to send the command to the server each time you want to create a user.

      With the introduction of quantum computing, yes, POST will be able to be cached. Or not cached. Or cached a little. *failed drumroll*

  15. Shooting off your cocksucker again troll? by Anonymous Coward · · Score: 0

    "I don't shoot my mouth off without knowing what I'm talking about" - by raymorris (2726007) on Thursday December 31, 2015 @09:29AM (#51215379)

    Raymorris you shoot your mouth off f'ing up in 2 security fuckups https://it.slashdot.org/comments.pl?sid=5351503&cid=47379233/ & https://slashdot.org/comments.pl?sid=5351503&cid=47374033/ + raymorris = scriptkiddie https://politics.slashdot.org/comments.pl?sid=8895203&cid=51726265/

    &

    Tell us how ONLY 'newer script kiddie tools' have stringlength built in (when PASCAL had it for ages - my fav tool) https://slashdot.org/comments.pl?sid=8472509&cid=51114383/ YOU BLUNDERING WANNABE!

    APK

    P.S.=> You like to talk behind others' backs like the gossiping bitch TROLL you are raymorris https://slashdot.org/comments.pl?sid=9880997&cid=53312265/ well, here I am letting YOU TALK in those links, showing your FAILS wannabe ... apk