Patch Tuesday overhaul: Microsoft to replace security bulletin index with database-driven portal

Over the past year, IT admins and security professionals have had to deal with massive changes in the way Microsoft delivers updates. Beginning in 2017, they'll have to adjust to a new format for security bulletins as well.
Written by Ed Bott, Senior Contributing Editor

If you're an IT pro or security professional, Patch Tuesday is about to get easier. Instead of trawling through an index of static documents, you'll be able to search a database to find detailed information about vulnerabilities and the latest security updates for Microsoft software.

For nearly a decade, Microsoft has published a list of security bulletins on the second Tuesday of each month, Patch Tuesday. Each bulletin is numbered with a prefix that designates the year in which it was released, followed by a sequential number.

Despite some initial complaints, the Patch Tuesday schedule has worked well for Microsoft and its IT customers. So well, in fact, that Adobe and other software vendors have adopted the same update schedule.

But the system for alerting IT admins and security pros about the content of those bulletins hasn't kept pace.

As of November 2016, the Security Bulletins index runs for a daunting 57 pages, with a list of updates that goes back to 2008. Each individual bulletin in turn includes details about that patch for each software package it affects, with links to Knowledge Base numbers that in turn contain additional details.

It's a rabbit hole that even security experts can quickly get lost in, and the entire concept of an index page of static documents is increasingly old-fashioned.

So, beginning in early 2017, Microsoft says it will scrap that entire system in favor of a new "single destination for security vulnerability information" called the Security Updates Guide.

The new security portal is driven by an online database. Instead of having to poke through an index of documents, you can sort, search, and filter the database to find details about a specific security bulletin and its associated updates.

Currently, the portal is in a preview, with bulletins for November 2016 through January 2017 being published to both the old index and the new guide. After January 2017, new bulletins will be published only to the new guide.

Refactoring the security guide as a database allows IT admins and security professionals to quickly turn that sprawling index into a manageable list.

In the new guide, for example, you can filter by product category to find all updates that apply to browsers, or combine criteria to display a list of only Critical updates for Windows 10 version 1607.


The new security portal is driven by a database instead of being a static index.

Search results appear in a grid that you can filter directly using a text box or sort by clicking column headings. Details about the vulnerability (including CVE numbers, severity ratings, and impact) are hidden by default but can be revealed with a click or two of the checkbox.

Each entry in the grid contains links to the associated KB article and to details about the vulnerability and affected products.

You can also search by CVE number or KB article to quickly learn details about a specific vulnerability.

Finally, and most importantly, the entire list or any filtered subset can be downloaded as an Excel worksheet in CVE format, allowing IT pros to integrate security information into their own infrastructure without having to manually scrape the index.

This is just the latest in a wave of changes Microsoft has made to the way it delivers updates. The biggest change, of course, is the decision to package updates into cumulative packages instead of delivering individual updates that can be accepted or discarded.

That decision has inspired some grumbling among both Windows users and IT pros, who are concerned about the disruptive impact of flawed updates on productivity. This change, while it will affect some ingrained work habits, should be a net positive for most IT pros.

Editorial standards