Microsoft Corp. said customers have convinced it to flesh out the monthly advance notice of impending security updates with more information.
Beginning in June, the advanced notice will offer more detail than before, Mark Miller, director of the Microsoft Security Response Center (MSRC), said on the group’s blog. Rather than earlier bare-bones guidance, which was limited to the software affected — Windows, for instance, or Office — and the maximum severity rating of all the updates, the MSRC will now summarize each bulletin separately the Thursday before patches are issued.
“Customers have told us that additional information would be even more helpful,” said Miller.
Microsoft has been criticized at times for the sparseness of the notices, most recently last month, when it issued an out-of-cycle critical update, then released five more bulletins, four also pegged critical, a week later. Users and analysts questioned Microsoft’s rationale for not being more forthcoming about the later patches when it posted the out-of-cycle fix.
As of June 7, notices will list the maximum severity rating, vulnerability impact, affected software and necessary detection information for each bulletin scheduled to post the following Tuesday. “The new ANS [advanced notification service] is essentially a subset of the monthly bulletin summary we publish the second Tuesday of each month,” Miller said, pointing to the monthly abstract Microsoft already posts online.
In May’s roundup for instance, the “Summary” section recapped each of the month’s seven critical bulletins with a short description, severity rating, impact (such as the flaw being remotely exploitable), and affected software. The reworked notice will be posted to a different URL than in the past, added Miller.
Miller also said that the MSRC has revised the organization of security bulletins and will debut the new design next month. “Customers very clearly pointed out that they were satisfied with the level of technical detail in the bulletins but needed to be able to more quickly determine the severity of the bulletin and its applicability to their environment,” he said.
Decision-making information has been moved to the top of the bulletin, a table has replaced the list to update download links, and section titles have been edited to make them clearer.
Microsoft has posted a sample of the new bulletin layout, using a February update, on its site.