Where to Find Microsoft Security Patches
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
If you've visited the Microsoft TechNet Security website or subscribed to the Microsoft Product Security Notification Service, you're probably familiar with security bulletins and patches. But you may not know about the many different types of patches Microsoft provides or where to find them. In this article, I'll discuss the various Microsoft websites that host security patches and the advantages of each.
The first question you might ask is why we need to have more than one type of patch. The answer is that this is a natural outgrowth of the eternal balancing act between immediacy and convenience. When developing a patch for a security vulnerability, we're often racing the clock, and our paramount concern is protecting as many customers as possible within the time constraints the vulnerability imposes. Typically, we'll initially release a patch that's fairly low-tech—one that requires a manual process to install and that may only be available in a handful of languages. Once the initial patch has been delivered, we focus on developing follow-on versions of the patch that can be installed automatically and that support additional languages.
On This Page
Starting Point—the Security Bulletin
When you need a patch for a particular vulnerability, always start your search for it by checking the security bulletin. It's a guaranteed way to find the patch; no matter where the patch resides, the "Patch Availability" section of the bulletin will always provide a link to it. But even if this weren't the case, we'd still recommend starting with the bulletin, because it's extremely important that you read and understand it before applying any patch. The bulletin contains information on the vulnerability, the risk it poses, any caveats regarding the patch, and also provides links to additional information. By starting with the bulletin, you'll be able to make an informed decision about whether you need a particular patch.
All security bulletins are hosted on the Microsoft TechNet security website. The home page always lists the most recently published bulletins, and a search page makes it easy to find previously released bulletins. You may also want to consider subscribing to the Microsoft Product Security Notification Service. Subscribers to this free service receive an e-mail message that contains summary information within minutes of the bulletin's release.
Additional Sites and Sources
After you've read the security bulletin, you're ready to find the patch. The simplest way to get the patch is simply to follow the link in the bulletin. However, if you're looking for a patch in a particular form, there are lots of options. If you know where to look, you can always find the right one.
Microsoft Downloads on Microsoft Office Online
The Microsoft Downloads on Microsoft Office Online can best be understood by analogy to an FTP site. Like an FTP site, the Downloads on Microsoft® Office Online is a repository of downloadable information of all sorts—white papers, product updates, tools, and other items, including security patches. Also like an FTP site, there's little automation; you find the patch you need, download it, and then install it by executing a self-extracting package. However, unlike an FTP site, the Downloads on Microsoft® Office Online is easy to search; once you've selected a patch, the Downloads on Microsoft Office Online provides detailed information to let you verify that you've got the right one.
The chief advantage of the Downloads on Microsoft Office Online is that patches can be posted to it at a moment's notice. This makes it the perfect method by which to deliver a patch when time is of the essence, as it usually is when we release a security bulletin. As a result, most bulletins will refer to the Downloads on Microsoft® Office Online when initially released. As we develop additional versions of the patch that can be deployed via the advanced methods discussed below, we'll update the bulletin to provide the new links.
You can find patches on the Downloads on Microsoft Office Online in either of two ways:
By listing the patches for a particular product and operating system, and then selecting the one you need.
By doing a keyword search for all security patches associated with a particular operating system, and then selecting the one you need. Security patches always have the keyword security_patch associated with them.
Although there are ways to go directly to a patch, we don't recommend this practice. The bulletin usually contains a direct reference to the patch using a value called the Release ID, and sometimes customers write down this value for later use. The problem with doing this is that if the patch changes for any reason, it's possible the Release ID might change as well. The reference in the bulletin, however, will always be up to date, which is one more reason to always use the bulletin as the authority reference.
Microsoft Update Web site
At the other end of the spectrum from the Downloads on Microsoft Office Online lies Microsoft Update, a website that, as the name suggests, hosts updates and patches for Microsoft Windows® operating systems and their components. This site is the ultimate in convenience. Just point your browser to it, and it will determine which patches haven't yet been installed on your system, let you select the patches you want, and then install them automatically. It will even install them in the language your computer is configured to use.
The convenience of the site comes at the cost of immediacy; it takes time to deploy patches to the site. The engineering behind the site is very complex because the site must be able to differentiate between millions of different machine configurations and take exactly the right action every time. There are a staggering number of dependencies that can influence this process, and we have to make sure we've done the job right. As a result, patches usually appear on Windows Update a few weeks after they have been posted to the Downloads on Microsoft® Office Online.
The technology to support the automation at the Windows Update site is built into Windows 98, Windows 98 Second Edition, Windows Me, Microsoft Windows NT® 4.0, and Windows 2000. The service is free, and no information from your computer is ever sent to Microsoft as part of the Windows Update process.
Windows Update Corporate Website
As cool as the Windows Update site is, it's not for everyone. In many corporate environments, IT managers need to tightly control the configurations of the machines on their networks and prefer to control the deployment of patches within the networks. If this sounds like you, the Microsoft Update Corporate website is the answer. The corporate site hosts the very same content as the Windows Update site, but in a form that lets you download patches and then deploy them to as many machines within your network as needed.
Everything about the site is designed with mass deployment in mind. The site displays all of the available patches and updates for all of the operating systems you're interested in and lets you download all the ones you need in one fell swoop. It also provides tools and information that make it easy to apply the patches on a network-wide scale. It even sets up a folder structure as part of the download that makes it easy to manage large numbers of patches.
Windows Update Downlevel Pages
But what if neither Windows Update site nor the Windows Update Corporate site is for you? Suppose you don't want to use Windows Update's automation (for instance, because you want to download the German version of a patch for a friend), but your machine is configured to use English. Likewise, suppose you're not a system administrator and don't want all the deployment tools that would accompany a patch from the Windows Update Corporate site. Or suppose you have an older browser that isn't supported by Windows Update. There's a solution even for these cases; it's called the Windows Update downlevel pages.
The downlevel pages allow you access to content from the Windows Update site, but without any of the automation. You manually specify the needed parameters (such as language and version), and then download a patch that you can install at your convenience by executing it. Don't look for a Windows Update Downlevel website because there isn't one; instead, access to the downlevel pages is via the "Downloads" sections of the websites for the products:
Because the downlevel pages don't provide the same level of automation as the Windows Update site, the engineering requirements are less challenging and we can deploy patches to them much more quickly. In some cases, we're able to make a patch available through a downlevel page right away, in which case the bulletin will link directly to it. In other cases, we initially provide the patch via the Downloads on Microsoft Office Online, and then when the patch is available via a Windows Update downlevel page, we modify the bulletin to point to it.
Office Update Website
The Office® family of products offers its own update website, known as Office Update. Just as Windows Update offers one-stop shopping for operating system patches, Office Update hosts patches and updates for Microsoft Outlook®, Microsoft Word, Microsoft Excel, Microsoft PowerPoint®, Microsoft Access, Microsoft FrontPage®, Microsoft Project, Microsoft Visio®, and all other Office products.
A fully-automated service called Auto Update is available from the website. Like Windows Update, the Auto Update feature detects which patches you need and automatically installs the ones you select. A manual process similar to the one used by the Windows Update downlevel pages also is available—in fact, it's the default. Just select the product and version you're interested in, and the site will display a catalog of available patches. When you click on the one you want, you'll go to a page that provides details about the patch (including what languages it supports). From there, just click Download Now!; when the download is complete, execute the patch.
Finally, to round out the parallelism between the Office Update and Windows Update sites, the level of automation determines how quickly the patches are available. A version of the patch that requires you to select it manually is usually available from the start; but the Auto Update version may trail it by a few weeks.
We've talked about how the big players—Windows and Office—handle patches. But what about other Microsoft products? The answer is that, for the most part, the patches for other products are posted to the Downloads on Microsoft® Office Online only. But even then, there are exceptions.
In a few cases, most notably the Microsoft VM and the Microsoft Data Access Components, patches are posted directly on the products' websites rather than on the Downloads on Microsoft® Office Online. This is done because the patches aren't really patches at all—they're actually new versions of the product. These products are sufficiently small that a patch would be about the same size as the product itself, so the simplest option is to provide an entirely new version of the product. The natural place to host new versions of the product is, of course, on the product website, so that's what's done. Wherever the patches are hosted, though, the bulletin will point you to the right place.
Wrapping It All Up
With the many different flavors and locations of security patches, finding the right one may initially look like a daunting task. But now that you know the roles of the various sites, you're ready to go patch hunting with confidence. Just remember to start your search with the security bulletin.
Scott Culp is a security program manager in the Microsoft Security Response Center.