News

Microsoft Pares Down Its Mammoth Security Update Guide

• By Kurt Mackie
• 11/09/2020

Microsoft has revamped its monthly "Security Update Guide," which often comes in at or above 100 pages, to be a more palatable length for IT pros.

The "Security Update Guide" is Microsoft's monthly publication chronicling security patch details for the common vulnerabilities and exposures (CVEs) found in Microsoft's software. The guide tends to be very lengthy and repetitive, making it a fairly tough read.

Microsoft unveiled a preview of the revamped guide during last month's "update Tuesday" patch release. It's now described as having been launched, and the "preview" word is gone. This new guide promises to be more succinct, with sentence-length descriptions boiled down to a single word, in some instances. Microsoft also promised that it is "scoring every vulnerability" according to the Common Vulnerability Scoring System with the release of the new guide.

Readers of this terse new version of the guide can get further information by hovering a mouse cursor over a word in its table-like format. For instance, under the "Scope" for a vulnerability description the word, "Unchanged," appears. When a user hovers over "Unchanged," they'll see something like the following explanatory text:

An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and impacted component are either the same, or both are managed by the same security authority.

Such a description doesn't really seem that clear. Terse phrasings sometimes can be a good thing, though.

Perhaps the best new aspect of the revamped "Security Update Guide" is the ability for readers to show which columns will appear for a given vulnerability description. It lets users show information about whether a security vulnerability was "exploited" or "publicly disclosed," for instance, which are key words indicating greater risk of an attack.

Also, fans of the "Security Update Guide" now have a "dark mode" option that reverses the traditional white background and black text scheme, which perhaps makes reading the guide less glaring.

The default order of the new guide seemed a little odd. My view of the October release of the guide, for instance, showed a Visual Studio Code vulnerability leading the list, followed by Windows 10 vulnerabilities. The default view didn't seem to be ordered by CVE number, priority or alphabetic approach.