Every second Tuesday of the month (US Time), also called Bulletin Release Day, Microsoft will release monthly security updates to public. Simultaneously, the detailed descriptions of these security updates will be published on Microsoft public website, which is called Security Bulletins. This article will provide you a guidance on how to accurately, efficiently and effectively read the security bulletins, and realize high-quality patch management.

Security Bulletin documentation can be divided into the following sections:

  • Summary, briefly summarize the security update information with the following parts:

    • Who Should Read this Document. For example, customers who use Microsoft Windows

    • Impact of Vulnerability, the impact that the malicious code causes on Microsoft products, which takes advantage of the vulnerability fixed by the security update. For example, Remote Code Execution, Privilege Escalation, Deny of Service etc.

    • Maximum Severity Rating, there are for severity rating, Critical, Important, Medium and Low.

        Maximum Severity
        Rating
                        Description
      Critical The vulnerability can cause critical security issues. For example, Blaster and Sasser, which cause Internet wide worm infection, system unavailability and network down.
      Important The vulnerability can cause big security issues, which may threaten to the confidentiality, integrity and availability of user data, or the integrity and availability of systems.
      Medium The vulnerability can cause medium security issues. Its impact can be reduced or prevented by implementing defense-in-depth, security hardening and enabling security auditing.
      Low The vulnerability is difficult to be used to initialize malicious attacks, or its impact is low.

Note: Microsoft strongly recommends customers to install security updates rated as Critical and Important at the earliest opportunity.

    • Recommendation, the recommendation of Microsoft on the security update. For example, Customers should apply the update at the earliest opportunity.

    • Security Update Replacement, indicates if this security update replaces any previously-released ones. In other words, no needs to install the previously-released security updates after install this one. The new update has included the fixes in the previous ones.

    • Caveats, logs the known issues that customers may experience when they install the security update. It also documents the recommended solutions for these issues.

    • Affected Software and Components, lists all the Microsoft products that are affected by the vulnerability and needed to apply the security update.

    • Non-Affected Software, lists the Microsoft products that are NOT affected by the vulnerability and no security update is available for them.

Note: Please pay attention to the Microsoft Product Support Lifecycle (for detailed information, please refer to http://support.microsoft.com/default.aspx?scid=fh;[ln];lifecycle). Microsoft will NOT provide security update support for the products that have been out of support lifecycle. In other words, Microsoft will not release security updates for these products. For example, Windows 98 Second Edition has finished its security update support lifecycle on July 11, 2006. After then, Microsoft will not release any security updates for Windows 98 Second Edition.


  • General Information, including the following parts:

    • Executive Summary, provides further descriptions of the vulnerability fixed by this security update. The description of the vulnerability refers to the bulletins of CVE, a third-party authoritative security website. On the other hand, it describes the impact of vulnerability on every Microsoft product, attack measures and severity rating. Executive Summary also provides the impact evaluations and severity rating of non-X86 systems (for example, X64 Windows operating systems). Customers using X64 Windows OS need to pay attention to this part.

    • Frequently Asked Questions (FAQ) Related to this Security Update, answers the FAQs related to this update, including how to fix the vulnerability, which previously-released updates have been replaced, how to use Microsoft Baseline Security Analyzer (MBSA) or System Management Server (SMS) to check if the security update is needed on systems.

Note: MBSA and SMS provide the functionality of checking security updates. MBSA is suitable to small business, while SMS is more beneficial to middle/big enterprise customers.

If any known issues for this update are found, or Microsoft decided to re-release it, there will be detailed explanations on What (what the problem is), Why (why the update is re-released) and How (how to fix the know issue) in FAQ. If a problem is found after the security update is installed, please check this part to confirm if it is a known issue. It can save time and efforts to trouble it.

    • Vulnerability Details, detailed describes the vulnerability fixed in this patch, including Mitigation Factors, Workarounds and vulnerability-related FAQ.

Mitigation Factors, describes the impact caused by the vulnerability and the corresponding mitigation methods. For example, configure the firewall and harden the system etc.

Workarounds, provides the workaround that have passed Microsoft official tests, which can temporarily migitate the impacts.

Note: Workaround is ONLY temporary measure but NOT the solution to fix the vulnerability. In order to fix the problem, please install security update as early as possible.

Vulnerability-related FAQ, answers the questions related to the vulnerability from technical viewpoints. For example, what is Buffer Overflow, what is Remote Code Execution, whether this vulnerability can be used to do Internet wide attacks etc. This section helps customers to understand technical details of the vulnerability, understand the workarounds and implement the security update.

Note: The above information is very useful to the customers who have got the security update information but still need time to deploy the security update. A frequent-occurring issue recently is that, malicious attacking code appears right after Microsoft releases security updates. To customers, there is a time gap, the period between getting security update information and deploying it to product environment. During this period, systems are under unsecure status and easy to be attacked. The information of this section can help customers to implement workarounds before deploying the update and fill the time gap.

    • Security Update Information, provides guidance on security update installation and deployment.

      • Prerequisites. For example, this security update requires Windows Server 2003 Service Pack 1.

      • Installation Information, provides the parameters during the update installation. For example, “/quiet” is quiet mode, no status or error messages are displayed during the installation.

      • Restart Requirement, in most situations, restart is required to security updates for Windows operation systems, because the system files locked when system is running will be replaced during the restart (these system files are loaded in memory and locked by the system when it is running). Restart is NOT required to the security updates for applications (for example, Office) or application services (for example, IIS). After applying the update, the only requirement is to reload the application or restart the application service.

 

So far, Microsoft security updates support hotpatching technology. Using this technology, system file loaded in memory can be dynamically replaced, so restart is not required after applying security updates. This section documents if the security update supports hotpatching.

 

      • Removal Information, security updates have uninstallation option. This section describes the methods to uninstall the update.

 

      • File Information, describes the updated system files with file name, version, date, time, size etc. After installing the update, customers can verify if it has been installed successfully by checking the file information. It is a recommended method to verify the update installation.

 

      • Verifying that the Update Has Been Applied, describes the methods to verify if the security update is installed successfully, including MBSA verification, File version verification, Registry Key verification etc.


  • Obtaining Other Security Updates, provides the link of Microsoft Download Center and Microsoft Update Web site.


  • Support, describes how to contact Microsoft technical support to resolve the issues related to security updates. To Microsoft genuine customers, all the security update related support is free of charge.


  • Patch Management Technologies

 

For enterprise customers who cannot directly perform system updates from Windows Update or Automatic Update, the following patch management technologies can be used:

                  

            Software Update Service (SUS)

            Window Server Update Service (SUS)

            System Management Server (SMS)

 

Note: SUS and WSUS are suitable to small business while SUS is more beneficial to middle-size or large enterprise customers. Please consider the deployment scale when choosing technologies.

 

On the other hand, Microsoft provides Windows Catalog Service to enterprise customers to download security updates of a specific Microsoft product. The service link is:

 

https://v4.windowsupdate.microsoft.com/catalog


  • Revisions, this section is the tracing log of the security bulletin version. If the bulletin document is modified, the version will be updated and the modification parts will be listed here.

 

Hope this article can help you not only better understand the security bulletins, but better implement patch deployment and management. So the trustworthy computing is guaranteed.

 

-End- 

Author: Samuel Lv