Revamping the Security Bulletin Release Process
Abstract
This white paper describes the steps Microsoft has implemented to improve the security bulletin release process. These improvements were designed based on considerable feedback we have received from customers.
Microsoft's Trustworthy Computing (TwC) initiative has resulted in substantial progress in the area of security. The SD3C (secure by design, secure by default, secure in deployment and communications) security framework defined as part of the TwC initiative has guided Microsoft's efforts in the area of security. While our primary strategy is to reduce vulnerabilities in our code (secure by design) and to ship products with minimum potential for exploitation of vulnerabilities that remain (secure by default), the changes to the security bulletin release process focus on improvements in the secure in deployment and communications areas of SD3C. Our objective is to make the security response and security patching processes more manageable for customers while still doing everything possible to minimize their risk.
On This Page
Executive Summary
In response to extensive customer feedback, Microsoft is implementing changes in the way security bulletins are released. These changes will help enhance the manageability and predictability of the patch management process for customers.
Security bulletins will normally be released on the second calendar Tuesday of every month. However, the first monthly bulletins will be released on Wednesday, October 15, 2003.
As before, Microsoft will issue a single security bulletin per patch. An additional security bulletin summary document per product family will be issued that will provide summarized information for all the patches released that month for the product family. Finally, Microsoft will provide prescriptive guidance within the security bulletins including workarounds for all vulnerabilities where a workaround is feasible, risk-assessment for specific threats, and other information that will make it easier for customers to evaluate and deploy the patches. A Knowledge Base article for every patch will be created that will provide a link to the corresponding security bulletin without duplicating the same information.
The new security bulletin format and process applies to both the technical bulletin (targeted at IT Pros and other technical users) and the consumer bulletin (targeted at the non-technical users). The primary differences are in the level of technical details and in that the consumer bulletin will be limited to Windows and Office patches.
Microsoft currently provides customers with a number of tools and resources to help manage the complex task of patch management and deployment. These tools and resources are located at http://www.microsoft.com/technet/security/guidance/patchmanagement.mspx. Microsoft also provides clear product lifecycle policies (http://support.microsoft.com/default.aspx?scid=fh;[ln];lifecycle) so customers are able to plan on the availability of security patches for supported software products.
Customers using Microsoft's patch management and deployment tools such as SMS (Systems Management Server) with Feature Pack 3, SUS (Software Update Services), MBSA (Microsoft Baseline Security Analyzer), Windows Update and Office Update will not need to upgrade or replace their tools to continue using them.
Customers using non-Microsoft patch management and deployment products will need to work with their vendors to ensure that their products continue to function with the new process.
What Customers Tell Us
Microsoft has spent a great deal of time talking with customers and has received a great deal of feedback about the security bulletin release process. That feedback can be summarized in the following key points:
| • | Customers are concerned that Microsoft releases security patches too frequently |
| • | Customers like Microsoft's security communication in the form of the security bulletin. However, they are confused by the separate KB (Knowledge Base) article about the patch that has similar information to that in the security bulletin. Apart from causing confusion, the use of separate KB article and bulletin also forces customers to view both pieces of communication to get a complete picture "I like the separate security communication. But why do you also have a KB article that has different information? Make it just one document so I don't have to go two places." |
| • | Customers need workarounds and alternative mitigation strategies. "Every single critical bulletin should absolutely have a workarounds section." |
| • | Customers would like more information from Microsoft that will help them do a risk-assessment specific to their IT environment. The information may include worst-cast scenarios that might result from an attacker exploiting a vulnerability. "Tell me my risk up front. What's the worst that an attacker can do to me? Why is it always buried?" |
| • | Customers like to see more information about the patch right up front, including a direct link to the patch. |
| • | Customers want Microsoft to provide guidance about how important the patch is from a perspective of security risk, to prioritize the installation of the patch. "Give me a way to know with a glance I need to drop everything and start my test validation on this patch." |
The New Security Bulletin Release Process
On October 15, 2003 Microsoft rolled out a new security bulletin release process. This new process was guided by customer feedback and offers more predictability and greater opportunity to plan in advance.
Most changes described here apply to both the technical bulletin (targeted at IT Pros and other technical users) and the consumer bulletin (targeted at the non-technical users). There are two differences:
| • | Customers signing up for the technical bulletins will receive security bulletins for all products whereas customers signing up for the consumer bulletin will only receive bulletins for Microsoft Windows and Microsoft Office. |
| • | The two documents (security bulletin and the security bulletin summary) for the non-technical audience will lack some of the in-depth technical detail provided on the documents for the technical audience. |
Frequency and Timing
Starting in October 2003, Microsoft will release security bulletins on the second calendar Tuesday of every month. A calendar of security bulletin release dates for the rest of 2005 and 2006 is as follows:
| Month | 2005 | 2006 |
January | 11 | 10 |
February | 8 | 14 |
March | 8 | 14 |
April | 12 | 11 |
May | 10 | 9 |
June | 14 | 13 |
July | 12 | 11 |
August | 9 | 8 |
September | 13 | 12 |
October | 11 | 10 |
November | 8 | 14 |
December | 13 | 12 |
A major benefit of switching to a monthly release cycle for security patches is that it allows customers to install multiple patches with a single install and single reboot (using Qchain.exe, Update.exe and other similar tools). This will minimize downtime on mission-critical systems and will allow customers to consolidate the patch deployment to once per month.
Another benefit of the monthly cycle is that it offers customers more time between releases of security patches. This allows customers to evaluate, test and install patches in their computing environments in a timely manner. The release schedule is also more predictable and allows customer to plan in advance for deploying patches.
Exceptions to Monthly Release Schedule
Microsoft will make an exception to the above release schedule if we determine that customers are at immediate risk from viruses, worms, attacks or other malicious activities. In such a situation Microsoft may release security patches as soon as possible to help protect customers.
Packaging and Naming
Security Bulletin
Once a month, Microsoft will issue a redesigned security bulletin per patch. The security bulletin will serve as the single source for detailed information about the patch. The security bulletin combines the information in KB (Knowledge Base) article and the security bulletin that were issued as separate documents in the former process.
The security bulletin will continue to be named with the current MSYY-XXX scheme, where YY denotes the 2 digit year and XXX is the running sequential number for the security bulletin that is unique within the year.
A KB article number will still used to identify the security bulletin. The KB article will, however, only provide a reference to the security bulletin. No information will be contained in the KB article itself. A KB article association allows customers to cross-reference and search on the patch number they see on the "Add Remove Programs" window. Customers searching on a KB article number for the patch will be able to easily find the security bulletin containing the patch detail information.
Security Bulletin Summary
Along with the security bulletin, Microsoft will also issue a newly created document called the security bulletin summary for every product family (e.g., Windows, Exchange, SQL Server, Office). The security bulletin summary includes a summarized listing of all security patches being released for the product family. This document lists information such as the specific products (within the product family) affected by the security patch, the impact of the vulnerability on users' systems etc.
The security bulletin summary document will be named as "Microsoft <product family name> Security Bulletin Summary for <month> <YYYY>" where YYYY denotes the four-digit year.
Format and Content
In response to customer feedback, Microsoft now provides additional information in the security bulletin and the newly created security bulletin summary. In addition, the security bulletin and the security article have been designed to allow for easy readability and usability. Appendix 1 and Appendix 2 list the information provided in the redesigned security bulletin and the new security bulletin summary respectively.
Security Bulletin
Microsoft has modified the format of the existing security bulletin to combine the information that was provided in the KB article and the security bulletin in the former process.
The security bulletin will list few new types of information about the patch that were not provided previously. For example, the security bulletin will list separate workarounds and mitigating factors for the patch. This information will provide short-term options for customers who are not able to deploy the security patches immediately. Appendix 1 lists all information in the redesigned security bulletin.
Security Bulletin Summary
The format of the new security bulletin summary has been designed based on customers' needs. The security bulletin summary will allow customers to scan a single document (for a product family) and make informed decisions about installing the patch in their IT environments.
In addition, the content on security bulletin summary provides more information than had been provided in the former process. For example, the security bulletin lists the deployment tools that may be used to install the security patches. Appendix 1 lists all information provided in the new security bulletin summary document.
Acknowledgement of Vulnerability Finders
Microsoft will continue its policy of thanking security researchers and experts who alert Microsoft of new vulnerabilities in its products and work with us to protect our customers. These individuals or groups report vulnerabilities to us confidentially, work with us to develop the patch, assist us in disseminating information about it once the patch is ready, and help minimize the risk to Microsoft's customers.
For example, in mid-2003, a research group called Last Stages of Delirium (LSD) reported an RPC/DCOM vulnerability to Microsoft. LSD's contribution was acknowledged in security bulletin MS03-026 which described the vulnerability and the patch that addressed the RPC/DCOM vulnerability.
The acknowledgements of the vulnerability finders will be listed in the security bulletin summary document.
Tools & Resources
The most significant change that the new security bulletin process will introduce for customers will be in the number and timing of security patches. Consequently, customers may need to revisit some of the processes they use for deploying patches. The following tools and resources will help customers evaluate, plan, manage and deploy security patches:
Recommendations Regarding Patch Deployment Tools
| • | Users of the Microsoft SMS 2.0 Software Update Services Feature Pack can continue to work with the new security bulletin format without upgrading SMS. |
| • | If you use Windows Update or SUS with MBSA and Office Update in your organization today, you do not need to install any upgrades or additional software. |
| • | For individual users using Windows Update / Auto Update and Office Update, the implementation of the new security bulletin release process will not require any re-configuration. |
| • | If you have a non-Microsoft Enterprise Systems Management or Enterprise Software Distribution tool (ESM/ESD) that does patch deployment and management, please work with your vendor to ensure that your ESM/ESD tool continues to work with the new security bulletin and patch format. |
Microsoft Product Lifecycle Support Policies
Microsoft's lifecycle support policy provides consistent and predictable guidelines for product support availability. The Support Lifecycle policy took effect on October 15, 2002 and applies to most products currently available through retail purchase or volume licensing and most future products. More details about Microsoft's product lifecycle support policies can be found at http://www.microsoft.com/lifecycle.
Microsoft's Product Support Policy
Business and Development Software
Microsoft will offer a minimum of five years of mainstream support from the date of a product's general availability. After the end of mainstream support, you have the option to purchase two years of extended support. Additionally, most products will receive at least eight years of online self-help support. Visit the "Locate Your Product" (http://support.microsoft.com/default.aspx?scid=fh;[ln];complifeport) page to find the support timelines for your particular product.
Consumer/Hardware/Multimedia
Microsoft will offer a minimum of five years of mainstream support from the date of a product's general availability. Products with a new version released annually (for example, Money, Encarta, Picture It! Streets & Trips) will receive a minimum of three years of mainstream support from their date of availability. Additionally, most products will receive at least eight years of online self-help support. Xbox games are not currently included in the Product Support Lifecycle Policy.
Microsoft's Security Patch Policy
Business and Development Software
Security patches will be available through the end of the extended support phase (five years mainstream phase + two years extended support phase) to customers at no additional cost for most products. Customers do not have to sign up for an extended support contract to receive security fixes during the extended support phase. Visit the Locate Your Product page to find the support timelines for your particular product.
Consumer/Hardware/Multimedia
Security patches will be available through the end of the mainstream phase to customers at no additional cost for most products. Visit the "Locate Your Product" (http://support.microsoft.com/default.aspx?scid=fh;[ln];complifeport) page to find the support timelines for your particular product.
Microsoft's Service Pack Support Policy
Customers can receive support for the current and immediately preceding service pack, rather than only the most current service pack. This new support policy permits customers to receive existing hotfixes, or request new hotfixes, for the current shipping service pack, the immediately preceding service pack or both, during the mainstream phase.
Mainstream vs. Extended Support
Mainstream support includes all the support options and programs that customers receive today, such as no-charge incident support, paid incident support, support charged on an hourly basis, support for warranty claims, and hotfix support. After Mainstream support ends, Extended support will be offered for Business and Development software.
Extended support includes all paid support options, as well as security-related hotfix support which is provided at no charge. Non-security related hotfix support requires a separate Extended Hotfix Support contract to be purchased within 90 days after Mainstream support ends. Microsoft will not accept requests for warranty support, design changes, or new features during the Extended support phase.
Security Tools
Microsoft provides a number of tools to help customers secure their computing environments. These tools are available for free download and use from Microsoft's web sites.
Assessment, Patch Management, and Software Update Services and Tools
| • | Microsoft Baseline Security Analyzer (MBSA) scans single systems or multiple systems across a network for common system misconfigurations and missing security updates - http://www.microsoft.com/technet/security/tools/mbsahome.mspx |
| • | Software Update Services (SUS) simplifies the process of keeping Windows-based systems up to date with the latest critical updates - http://www.microsoft.com/windowsserversystem/sus/default.mspx |
| • | KB 824146 Scanning Tool can be used to identify computers on networks that do not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed - http://support.microsoft.com/default.aspx?scid=kb;en-us;827363 |
| • | QChain allows administrators to script the installation of several patches without requiring multiple reboots - http://support.microsoft.com/default.aspx?scid=KB;EN-US;296861&sd=tech |
Automatic Scan and Update Tools for Windows and Office
| • | Windows Update scans your computer and provides a selection of updates tailored for your operating system, software, and hardware - http://windowsupdate.microsoft.com/ |
| • | Microsoft Office Product Updates scans and updates Microsoft Office products - http://office.microsoft.com/officeupdate/default.aspx |
Lockdown, Auditing, and Intrusion Detection Tools
| • | IIS Web Server Lockdown Wizard works by reducing the attack surface of Internet Information Services and includes URLScan to provide multiple layers of protection against attackers - http://www.microsoft.com/technet/security/tools/locktool.mspx |
| • | The UrlScan Security Tool helps prevent potentially harmful HTTP requests from reaching IIS Web servers - http://www.microsoft.com/technet/security/tools/urlscan.mspx |
| • | EventCombMT, available as part of the Security Guide Scripts Download, is a multi-threaded tool that will parse event logs from many servers at the same time - http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=9989D151-5C55-4BD3-A9D2-B95A15C73E92 |
| • | Cipher Security Tool for Windows 2000 permanently overwrites deleted data on hard drives - http://www.microsoft.com/technet/security/tools/cipher.mspx |
Virus Protection and Cleaner Tools
| • | Office 2000 Update: Service Pack 3 includes the Outlook 2000 SR1 E-mail Security Update (OESU), which prevents users from accessing several potentially dangerous file types when sent as e-mail attachments and increases default security zone settings within Outlook - http://www.microsoft.com/downloads/details.aspx?FamilyID=5C011C70-47D0-4306-9FA4-8E92D36332FE&displaylang=EN |
Web Resources
The following resources related to patch management and deployment are available on the web for customers:
Patch Management Resources
How to Determine the Appropriate Notification, Assessment, and Update Solution
| • | Protect: Configure Systems Properly and Ensure That Safeguards Are In Place - http://www.microsoft.com/technet/security/tips/protect.mspx |
| • | Managing Updates and Patches: Tools and Policies to Maintain a Secure Environment - http://www.microsoft.com/technet/security/tips/manage.mspx |
Managed Updates: SUS and SMS - Maintenance Solutions Managed Networks
| • | Distributing Software Using Microsoft Management Technologies - http://www.microsoft.com/technet/sms/20/dsumgmt.mspx |
| • | Patch Management with SMS 2003 - http://www.microsoft.com/downloads/details.aspx?FamilyId=E9EAB1BD-13E7-4E25-85C5-CE2D191C3D63&displaylang=en |
| • | Patch Management with SUS 1.0 SP1 - http://www.microsoft.com/downloads/details.aspx?FamilyId=38D7E99B-E780-43E5-AA84-CDF6450D8F99&displaylang=en |
Current Issues and Related Information
Product-Specific Resources
Outlook
| • | Outlook E-mail Security Update Download - http://www.microsoft.com/downloads/details.aspx?FamilyID=5C011C70-47D0-4306-9FA4-8E92D36332FE&displaylang=EN |
Windows 2000 Server
| • | Windows 2000 Server Distributed Systems Guide: Software Installation and Maintenance - http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsee_int_njzf.mspx |
| • | Microsoft Solution for Securing Windows 2000 Server: Patch Management - http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/08patman.mspx |
Windows Clients
| • | Windows Update - http://v4.windowsupdate.microsoft.com/en/default.asp |
| • | Improve Desktop Security - http://www.microsoft.com/technet/security/chklist/winxpsrg.mspx |
| • | Turn on Automatic Updates - http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/hsc_autoupdate_turn_on.mspx |
Windows Server 2003
| • | Windows Server 2003 Security Guide - http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.mspx |
| • | Windows Update - http://technet2.microsoft.com/windowsserver/en/library/e77ca20b-52d3-414d-a119-18bbe53c66781033.mspx |
| • | Windows Automatic Updates - http://technet2.microsoft.com/windowsserver/en/library/cc865354-df2a-4833-bb3b-a5e55225bd041033.mspx |
| • | HOW TO: Turn on Automatic Updates - http://technet2.microsoft.com/windowsserver/en/library/d5876c37-4ae9-420d-9bb1-1173ba6c9a331033.mspx |
Appendix 1 - Format of the Redesigned Security Bulletin
The new security bulletin contains detailed technical information about the patch. The information in the security bulletin is a combination of the information contained in the former security bulletin and the former KB article for the patch.
The following information is included in the new security bulletin:
| • | Issued - Date the security bulletin (for the patch) was issued | ||||||||||||||
| • | Last Revised - Last revision date of the security bulletin | ||||||||||||||
| • | Version Number - Version number of the security bulletin | ||||||||||||||
| • | Summary | ||||||||||||||
| • | Who should read this document - Audience for the bulletin | ||||||||||||||
| • | Impact of vulnerability - Describes the specifc impact that the vulnerability can have on users' machines. E.g., remote code execution, elevation of privileges, Denial of Service or Information Disclosure. | ||||||||||||||
| • | Maximum Severity Rating - Severity rating of the released patch (e.g., Low, Moderate, Important, Critical). | ||||||||||||||
| • | Recommendation - Lists the recommended action for customers. | ||||||||||||||
| • | Patch Replacement: - Based on customer feedback, we are changing the term supercedence to replacement. This will describe the patch(es) that the current patch replaces. | ||||||||||||||
| • | Caveats - Calls out special considerations for customers installing the patch. | ||||||||||||||
| • | Tested Products and Patch Download Locations
| ||||||||||||||
| • | Technical Details
| ||||||||||||||
| • | Workarounds
| ||||||||||||||
| • | Frequently Asked Questions | ||||||||||||||
| • | Security Patch Information - Details of where to find the patch, how th install it, and other installation-focused guidance
|
Appendix 2 - Format of the New Security Bulletin Summary
The security bulletin summary has been designed based on the customer feedback we have received. The following information is present in the new security bulletin summary:
| • | Issued - Date of issue of the security bulletin summary document | ||||||||
| • | Version Number - Version number of the security bulletin summary. The major version number (1.0, 2.0, 3.0 etc) is incremented any time the major version number on the security bulletin is incremented. The minor version (1.0, 1.1, 1.2 etc) is incremented any time any text or other trivial changes are made to the security bulletin or the security bulletin summary article | ||||||||
| • | IT Pro Security Zone Community: Link to the online IT Pro community at http://www.microsoft.com/technet/security/en-us/community/security/default.mspx. | ||||||||
| • | Microsoft Security Notification Service: Links for subscribing to Microsoft Security Notification Service at http://www.microsoft.com/technet/security/bulletin/notify.mspx. | ||||||||
| • | Patch summary (patches listed by severity rating)
| ||||||||
| • | Deployment - Lists deployment tools that may be used to install the security patches. | ||||||||
| • | Other Information
|