Customers roast Microsoft over security bulletins' demise
- 25 April, 2017 04:49
When Microsoft asked customers last week for feedback on the portal that just replaced the decades-long practice of delivering detailed security bulletins, it got an earful from unhappy users.
"Hate hate hate the new security bulletin format. HATE," emphasized Janelle 322 in a support forum where Microsoft urged customers to post thoughts on the change. "I now have to manually transcribe this information to my spreadsheet to disseminate to my customers. You have just added 8 hours to my workload. Thanks for nothing."
Janelle 322 and others left scathing comments on the support forum Microsoft touted Friday as the place to post comments and questions about the Security Update Guide (SUG), the online portal which took the place of familiar bulletins.
Microsoft announced the demise of bulletins in November 2016, saying then that the new process would debut Feb. 14. Those web-published bulletins had been a cornerstone of Microsoft's patch disclosure policies since at least 1998. The bulletins' thoroughness and transparency were long praised by security professionals, who considered them the benchmark against which all other vendors' efforts were compared.
After a two-month delay, Microsoft dropped bulletins with the April 11 collection of security fixes. A day later, one patch expert said the switch from bulletins to SUG had expanded his workload by about six times.
Customers echoed the added-work theme in comments on the support thread.
"I typically spend 2-3 hours to read through and determine what updates need to go to our systems, document, etc. I spent a solid 8 hours trying to make sense of everything today and get it organized, and I'm not close to being finished," reported Jim24Mac. "What I had to go through today was an abomination. I download[ed] the spreadsheet with 670 lines of exploit info that I'm supposed to somehow find useful to determine what I need and why. It's terrible."
Other critics got more specific.
"While calling out the security issue via CVEs [Common Vulnerabilities & Exposures] is valid, for the system admin/patcher the new format doesn't relate well at all to what we see to approve and patch," wrote Susan Bradley, a noted Windows patch expert who writes for the Windows Secrets newsletter. "While it's appreciated to have a searchable database in the Security Update Guide, it is too cumbersome to use to quickly get the information needed on Update Tuesday. To get the same information took way too many steps and required collaboration with other sources to confirm information.
"Bottom line we have a communication problem," Bradley continued. "You are talking CVEs [but] we're still needing something that showcases what we see needing to be installed on our PCs. If there is any way to better filter down the information and make it better trackable to what we see installed, that would be grand."
"The change did nothing to make our lives easier and made it much more difficult to determine our internal severity based on the attack methods," added J_DDS on the same thread. "I'm all for a searchable database but don't trash the system that worked perfectly in the past."
Microsoft's stock response in the support threads was penned by Chris Wojahn, a senior escalation engineer in the support group. "We understand the concern about the changes made to ... the Security Update Guide replacing the numerous KBs [knowledge base documents] of the past," Wojahn wrote. "The change is to align with the move from individual updates to the cumulative update process."
Wojahn's explanation for the change was contrary to what Microsoft last year claimed had prompted the decision. "Our customers have asked for better access to update information, as well as easier ways to customize their view to serve a diverse set of needs," the Microsoft Security Response Center stated in November when it announced the latest switch.
Microsoft never linked the death of bulletins to its earlier decision to eliminate individual patches and in their stead, provide only cumulative security updates for all versions of Windows. Instead, its vague rationale only mystified customers. "They were all scratching their heads, wondering why Microsoft made it harder to find stuff," said Chris Goettl, product manager with patch management vendor Ivanti, of users who attended an April 12 webinar on the month's patches.
The lack of communication was something another critic focused on in comments to the support forum. "Honestly I know you've communicated random fragments of this ... change across random Microsoft blogs, but Microsoft should have done a better job in making it a bit clearer," said chicaneUK. "I don't understand how this is an improvement of the process, nor how it is saving us time or making things easier."
Microsoft has also posted a FAQ that covers the SUG portal and its dashboard.