What do you think is the most important thing you can do to help secure both your client and server deployments?
If you said, “apply security updates as soon as possible” – then you guessed right.
Updating your applications, operating systems and firmware must be job one. Play fast and loose with updates, and it almost doesn’t matter what else you do to secure your systems.
Microsoft has a long history in being a leader with security updates. We deployed a worldwide network to support Windows Update, and enabled our enterprise customers to finely tune their update strategies with Windows Server Update Services and similar updating technologies. We’re serious and heavily invested in keeping you secure with updates. Be you in the cloud or on-premises, we’ve got you covered.
That’s not going to change.
What is going to change is how we let you know about updates.
In 2004, we started releasing what we called “Microsoft Security Bulletins” on what became known as “Patch Tuesday”. Each bulletin represented, in text format, an update which might address one or more vulnerabilities that applied to one or more software products.
While the bulletin approach did its job, it was hard for security teams to track, slice and dice the information. Many teams did the old “copy and paste” from the bulletins and put them into their own Word docs or Excel spreadsheets.
There’s a lot of overhead in that approach and Microsoft realized it was time to modernize the process. Today’s security organizations need the information they’re interested in that’s also in a format they can easily manipulate on a programmatic basis.
That’s where the new Security Update Guide comes in. In this model, you’ll use the Security Update Guide to get information about security updates each month. “Patch Tuesday” doesn’t go away, and there may sometimes still be out-of-band updates, but instead of getting information about updates from monthly security bulletins, you’ll be getting them from the Security Update Guide.
The Security Update Guide is a searchable database that you can use to find updates and filter them based on what you’re interested in. Once you find what you’re interested in, you can then download the list of updates and associated data as an Excel spreadsheet. That means the days of screen-scraping bulletins each month are over.
With this new tool you can:
- Filter and sort using a variety of parameters, such as CVE or KB number, product type or release date
- Focus on only on the updates that are important to you
- Use a new RESTful API to speed up security information acquisition and recording
To get to the Security Update Guide, navigate to https://portal.msrc.microsoft.com/en-us/. You’ll go first to a landing page. There are some useful links on this page that you will want to check out. For example:
- Read the Security Update Guide FAQ – the FAQ page has a lot of useful information and advice that will help you get the most out of Security Update Guide
- Get security update information through the API – we’ll talk later about how to do this.
Click the Go to Security Update Guide button as seen in the figure below. You’ll need to accept the license agreement to use the dashboard, but you don’t have to sign in to use it. However, if you decide to check out what’s on the Developer tab (which we’ll talk about in a little bit), then you’ll need to sign in.
First, Now we’re at the Security Update Guide page. You’ll see something like the figure below. Notice that there are six ways you can filter your list of security updates (and you can combine filters):
- Product category
Start with defining your date parameters – start and end date.
For product categories, you can view All Product Categories (which is the default), or click the drop-down list and you’ll see your options in the figure below. This is cool because if you’re not interested in, for example, Microsoft Biztalk Server updates, you don’t have to see them.
You can then scope down on the specific products within the categories you select. In this example, we left the default of All Product Categories, so when we click the drop down for All Products, we see all the Microsoft products. Of course, you can deselect any product you don’t want to see. There are a lot of products, so if you want to limit the number of products that appear in your report, pick the categories you’re specifically interested in first.
You can also filter by update severity. The default is All Severities but you can filter down to the ones you’re interested in – the figure below shows you what you have to choose from.
Similarly, you can choose updates based on impact. Again, the default is All Impacts, but you can customize this too.
If there is an update with a specific CVE or KB number you want to look up, just enter them into the Search on CVE number of KB Article box.
Under the filter options is a list of monthly release notes. Just click the release note you want to see and it will look like the page seen below.
At this point we’ve gone through the filters and seen how to view release notes. After you finish with your filters, you don’t need to click “OK” or anything like that. The list of updates that you’ve filtered for will automatically appear. The figure below shows the first three entries when use the defaults. For these three updates we can see the Date, related KB Article, Product and Platform information.
But wait! There’s more.
The figure below shows options to see more information. Just put a checkmark in the Details, Severity or Impact checkboxes. The report will automatically show the new information in additional columns.
You can filter the report even more using the text filter option, as seen in the figure below.
Finally, remember what we were talking about earlier – we don’t want to do screen-scraping like we used to, we want to get this information in a way that’s easier to manipulate. One way to do that is to download an Excel spreadsheet (.csv file) with all the information that appears in the online report.
Just click Download.
And for our dev friends, you can take advantage of the Microsoft Security Updates API to get Microsoft Security Update information. Just click DEVELOPER.
The Security Update Guide development API can be used to create a report in CVRF format. To use this API, click the DEVELOPER tab, and log into TechNet when prompted. From this tab, you can see code samples in a variety of scripting languages.
We’ve also posted some code samples in the Microsoft Security Updates API project on GitHub. Try them out, or contribute to the project if you have a script you would like to share with the community.
While security update bulletins made sense for a long time, today we need a more flexible and easily consumed publication model. We think these changes will reduce the effort of keeping up with security updates and integrating them into your update tracking systems.