Microsoft expands Patch Tuesday advance notification

By Stephen Withers
Friday, 18 May 2007 02:51

Home IT

Microsoft has decided to provide more information in its advance notices of Patch Tuesday security bulletins.

The company's practice has been to provide on the Thursday before Patch Tuesday a terse summary of the forthcoming bulletins, providing little more than the affected products and the maximum severity rating.

While that gave users and administrators a chance to see whether any of their software was being patched, they are not satisfied with the level of detail.

"[C]ustomers have also told us that additional information would be even more helpful," wrote director of security response communications Mark Miller in the Microsoft Security Response Center blog. "Based on that, we are incorporating additional detail about the upcoming security updates."

Beginning June 7, Microsoft's Advanced Notification Service (ANS) will present cut-down versions of the forthcoming security bulletins themselves. For each bulletin, the ANS will provide the maximum severity rating, the impact of the vulnerability, detection information, and a list of affected software.

While system administrators might prefer to receive even more detail, the more information Microsoft releases, the greater the chance that someone will be able to develop a working zero-day exploit.

The ANS will be located at the same URL as the monthly bulletin summary, so the advance notice will be replaced by the full summary on Patch Tuesday.

Microsoft is also making some changes to the format of the bulletin summaries. "We’ve also spent a lot of time talking to customers about the layout of our security bulletins and how we can improve them," wrote Miller. "Customers very clearly pointed out that they were satisfied with the level of technical detail in the bulletins but needed to be able to more quickly determine the severity of the bulletin and its applicability to their environment."

Among other changes, the new format starts with an executive summary outlining the nature of the issue, its severity on different versions and platforms, and giving a brief outline of how the patch addresses the issue.

Bulletin MS07-016 has been reworked in the new format to provide a preview of the changes.