Massive change to a moderate Patch Tuesday

Last month, we had the largest ever release of patches and updates from Microsoft. This month, we see the biggest change to Patch Tuesday since October 2003.

Women with glasses looking up with question mark on a post-it on forehead

Last month, we had the largest ever release of patches and updates from Microsoft.

This month, we see the biggest change to Patch Tuesday since the first updates were released on the second Tuesday in October 2003, starting with MS03-041. Security bulletins with easy to follow formats like MSyy-xxx are no longer published by Microsoft as of April 2017.

Now, we have the Microsoft Security Update Guide which is defined by Microsoft as the "authoritative source of information on our security updates." The MSUG is a searchable database of patches and updates that offers some basic queries and filtering. In addition to this database-driven approach, Microsoft has published summary release notes for April 2017 that can be found here. Helpfully, this summary outlines that the following technologies are updated for April:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Visual Studio for Mac
  • .NET Framework
  • Silverlight
  • Adobe Flash Player

I applaud Microsoft for following industry best practices and for moving their patch documentation and release notes to the CVRF format. Unfortunately, with the present state of the MSUG, I can't really match up the CVRF format with patches in a systematic manner.

Over the past 15 years, Microsoft has set the gold standard in communications with its Patch Tuesday approach and this new format has raised some concerns and dissenters. The new Microsoft CVRF format supports queries through a Restful API and eventually most third-party vendors and other IT pro's will develop the tools necessary to test and deploy Microsoft patches with the level of granularity and control that today's enterprises need to manage large, disparate and heterogeneous environments. Just not today.

If you are stuck trying to figure out what just happened on this April Patch Tuesday, you can still reference all the Windows platform update histories found here:

If you are desperate, you can try to match up the CVE entries with updates in the Security TechCenter acknowledgment page.

The IT world is changing and Microsoft is responding. To quote Steve Daly from Ivanti:

"The IT industry has undergone a major transformation in the last few years. We’ve seen the IT department’s responsibilities evolve from maintaining desktop computers to managing all sorts of devices and other IT assets, both hardware and software, in a number of varied environments. We’ve also seen an explosion in the number and variety of security threats. With these changes comes added cost, risks, and the need for a new approach."

Hopefully, despite the initial teething problems with the new CVRF format, Microsoft is the vanguard for this new approach.

Copyright © 2017 IDG Communications, Inc.

Shop Tech Products at Amazon