News

Microsoft Replacing Security Bulletin Portal in February

• By Kurt Mackie
• 01/17/2017

Microsoft will be going live with its new "Security Updates Guide" portal -- which will replace the older "Security Bulletins" portal -- next month.

The Security Updates Guide is currently accessible as a preview. However, on Jan. 10, 2017, Microsoft will stop publishing the Security Bulletins portal. The Security Bulletin numbering system, using formats like "MS17-00x" to label security bulletin groups, also will be going away next month. Instead of using those bulletin numbers, Microsoft plans to identify its patches using "vulnerability ID numbers and KB [Knowledge Base] Article ID numbers," the company explained, in a Security Updates Guide FAQ.

This week's patch Tuesday release of security bulletins, a very light release affecting just four products (Windows, Microsoft Edge, Microsoft Office and the Adobe Flash Player), was the last such release using the old Security Bulletins numbering scheme. Microsoft's next security update release is slated for Feb. 14, which is when IT pros will have to rely on the new Security Updates Guide to get patch details.

The new portal already shows that it's possible to drill down into descriptions. For instance, a list of January KB articles can be found here. However, Microsoft's Knowledge Base articles in the Windows 10 era have been criticized as lacking the detailed descriptions that once were available to IT pros.

Microsoft had briefly explained this coming portal change back in November in this blog post. That announcement promised that the new Security Updates Guide portal would let organizations sort bulletins by "CVE [Common Vulnerabilities and Exposures], KB number, product, or release date." They could also use the new portal to exclude products they don't use. The portal also can be used to create CSV (comma-separated values) files for use in tables or databases.

Moreover, the new portal supports "a new RESTful API" to pull security information into applications, which eliminates having to do "screen-scraping of security bulletin web pages," the blog post suggested. Documentation on this new API can be accessed by clicking the Developer tab in the Security Updates Guide, according to Microsoft's FAQ. Users need a Microsoft account to access it, and there are some steps involved to use the API.

"The first time that you use the API you must create a key," the FAQ explained. "It will be saved for subsequent uses."

Microsoft's own tools for managing software updates, namely Windows Server Update Services and System Center Configuration Manager, will be updated to address the new Security Updates Guide approach, Microsoft's FAQ promised. The company is working with other software vendors as well, but Microsoft "cannot guarantee that all third-party software will work in the future" with the new portal, the FAQ stated.

Microsoft's My Bulletin portal has become casualty of Microsoft's portal revamp efforts. It won't be supported after the January security update release, Microsoft's FAQ indicated. The link to My Bulletin was still up at press time, but it'll likely disappear. The My Bulletin portal was designed let users create their own security bulletin dashboard for different Microsoft products.

Microsoft still plans to continue to issue its security advisories, which are notices of discovered vulnerabilities, rather than patches. Microsoft also plans to continue to issue so-called "out-of-band" security update releases (patches issued outside the usual monthly schedule). In addition, previously published security bulletin documentation won't be moving from their present locations, Microsoft's FAQ promised.

There will be a way to sign up to receive notifications when information gets added to the Security Updates Guide, according to the FAQ. The details, though, weren't available at press time.