Fighting the long battle to get users to apply software updates promptly, Microsoft has launched a new service for individuals and smaller organizations that may help.
myBulletins is a page on Microsoft's Technet site for IT professionals that holds a list of security bulletins which apply to products the user has selected. The page includes all the essentials of each security bulletin: the date posted, ID, product name, impact (type of vulnerability, e.g. information disclosure, remote code execution, etc.), severity level and whether the update requires a reboot.
A summary up top shows the number of updates by severity level and the number requiring a reboot.
The information on severity and reboots have long been included in bulletins, even in the Patch Tuesday advance notification, to help large organizations prioritize updates and plan for downtime from them.
Microsoft says that myBulletins "...is a very useful online service for administrators in enterprise or small and medium sized business environments." But in a larger organization, any with a Windows domain at least, Microsoft's WSUS (Windows Server Update Services) or a third party patch management system would do all of what myBulletins does and much more.
myBulletins only knows what the user tells it; it detects nothing from the user's systems and provides no way to keep track of which updates have been applied. The user can download the contents of the bulletin list to an Excel spreadsheet and perform some management functions there. The downloaded spreadsheet includes much more information than the myBulletins page, including Knowledge Base article links, CVE numbers (vulnerability identifiers), and whether any earlier bulletins were superceded by this new one.
We were surprised to see many products on the list from which users could choose which haven't been supported for many years, among them Office XP, Internet Explorer 5 and SQL Server 2000.
If the point is to help users to keep up with patches then these products seem beside the point. We asked Microsoft about the inclusion of the obsolete products and they said that customer feedback indicated that customers wanted to be able to reference past security bulletins.
Tracey Pretorius, Director of Microsoft Trustworthy Computing, announced myBulletins in an MSRC (Microsoft Security Response Center) blog entry today.