Free Guide to Security Updates
Jeffrey R. Jones
Senior Director, Security Business & Technology Unit
Upon moving to a monthly, predictable release cycle for Microsoft Security Bulletins and updates in October 2003, we also introduced webcasts the day after each release so that all customers have an interactive forum where they can learn more details about the. The number and quality of questions we consistently get on those webcasts have inspired me to write this guide.
What Should I Do?
If you are an individual user who doesn’t want to know the details and just wants to improve the security of your computer then skip the rest of this article and go directly to www.microsoft.com/protect. There, in addition to tools that will help you implement your firewall and activate auto updating, you will find some great offers on antivirus software. My parents did this, my brother did it, and I did it at home. You should do it too.
But read on if you are managing security for multiple machines and products and you want to utilize the details in Microsoft’s technical security bulletins.
What are the important recurring activities that you should schedule on your calendar? The targeted release day for Microsoft Security Bulletins is always the second Tuesday of the month at 10:00 A.M. Pacific Time. We are a global company serving global customers, so we will be sticking to this targeted date even if it is a holiday.
Second Tuesday of each month at 10:00 A.M. Pacific Time, Microsoft Security Bulletins post, and update packages are posted on Microsoft Download Center and the appropriate update site, such as Windows Update or Office Update.
Security alerts and bulletins are sent to people who have subscribed to the Microsoft Security Notification Service. (Sign up for the notification service.)
Press Briefings—Microsoft briefs several security industry reporters to help ensure that more customers are made aware of steps they may need to take.
Microsoft Security Bulletin webcast—10:00 A.M. Pacific Time, the day after release day, Microsoft hosts a webcast and conducts a Q&A session that provides information about any “critical” or “important” bulletins. You can sign up for these and other security webcasts.
Each month, I get a couple of recurring questions. Here they are with the answers.
Question: Bulletin MS04-0XX replaces some other bulletin. Do I have to apply the new update package? Is there anything new?
Answer: Yes. Anytime a bulletin with a new number is released at least one new issue is addressed, even if we combine it with older updates that touch the same files for your convenience.
Question: Windows Update tells me I have a critical update to install, but I don’t find a corresponding security bulletin that tells me about the security issues.
Answer: Windows Update identifies urgency by using the words “critical updates.” The security bulletin severity ratings of “critical,” “important,” “moderate,” and “low” are separate labels. It is possible for Windows Update to present an urgent (critical) update to you that is not rated “critical” according to security bulletins. (Shouldn’t we just say here “Sometimes we issue critical updates without issuing a security bulletin” Isn’t that what the question is asking about?)
Question: Does the issue fixed by MS04-0XX allow anonymous exploit? How serious is MS04-0XX?
Answer: If an issue is rated “critical” by Microsoft, it means that there may be at least one way that malicious code could propagate (like a virus or worm) without any user touching a key or mouse. That is part of the definition of critical, just so you can make that clear, easy distinction at the highest level.
Notice that I didn’t answer the last question “yes” or “no” because it might not matter. For instance, an e-mail-based worm is not anonymous, but the source can’t be trusted.
Severity rating definitions are to help you establish a base of knowledge based upon Microsoft’s analysis of the issue. Given that base, you will add in your own knowledge of your environment and make your own assessment.
A vulnerability with an exploitation that can allow the propagation of an Internet worm without user action.
A vulnerability with an exploitation that can result in compromise of the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources.
Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.
A vulnerability that is extremely difficult to exploit or has minimal impact.
We believe that customers who use an affected product should almost always apply patches that address vulnerabilities rated “critical” or “important.” Patches rated “critical” should be applied in an especially timely manner. Customers should read the security bulletin associated with any vulnerability rated “moderate” or “low” to determine whether the vulnerability is likely to affect their particular configuration. We believe that patches rated “low” are less likely to affect most customers.
While this severity rating system is intended to provide a broadly objective assessment of each issue, we strongly encourage customers to evaluate their own environments and make decisions about which patches are required to protect their systems.
Validating the Microsoft Security Bulletin
Microsoft regularly sends e-mail to subscribers of our security e-mail notification services when we release a Microsoft Security Bulletin.
Unfortunately, malicious individuals have sometimes sent bogus bulletins that appear to be coming from Microsoft. This is a tactic known as “spoofing.” Some of these messages lure recipients to malicious Web sites to download malicious code, while others include a file attachment containing a virus.
Fortunately, there are ways to spot the imposters. Here's how to verify that a Microsoft security-related message you receive is legitimate:
The message contains no attachments. Authentic Microsoft Security Bulletin notifications never include software updates as attachments.
The message is digitally signed. The Microsoft Security Response Center always signs its bulletin notifications before distributing them. You can verify the signature by using the key published on Microsoft TechNet.
The bulletin is listed on Microsoft.com. We never send notices about security updates until after we publish information about them on our Web site. If you are ever in doubt about the authenticity of a Microsoft Security Bulletin notice, check TechNet to see if the bulletin is listed there.
Navigating the Microsoft Security Bulletin
There is a lot of information in a Microsoft Security Bulletin. Based upon customer feedback, many improvements have been made over the past few years to make the bulletins more informative and easier to navigate.
Maximum Severity Rating: Look at this first to determine if the bulletin merits further scrutiny based upon your policies. Many companies have established much longer response time targets for “low” or “moderate” severity bulletins.
Tested, Affected Software: In recent bulletins, you’ll notice changes identifying the supported product and service packs that have been tested. If a product service pack is not listed here, it means that either it is not affected or it is no longer supported. You should be familiar with the Microsoft Support Lifecycle Web site and stay on service packs with security support. To understand how security support for the Windows 9x platform differs from other products, please read the full details of the Windows 9X security support policy.
Severity Ratings and Vulnerability Identifiers: If you expand the “technical details” section, you’ll find a table that shows individual vulnerabilities updated along with the severity rating per product. Frequently, newer products may not be affected at all or will have a lower severity rating.
Workarounds: If you expand the “vulnerability details” section, you will find a section detailing optional workarounds that you might use to help protect your systems. Many customers will have their own testing and approval process for updates before they roll them out. The workaround section gives these customers ideas for how they may make it more difficult for potential attackers to exploit their systems while they continue to follow their standard processes. Typically, workarounds may involve tradeoffs, so there will be a section discussing the impact of the workaround if implemented.
There is a lot more information in a Microsoft Security Bulletin than I’ve covered here, but this guide has introduced some of the important activities and presented some key areas you can use to quickly make an assessment on how deeply you should go with any particular new security bulletin.
I’ll close by reiterating our belief that customers who use an affected product should almost always apply patches that address vulnerabilities, and, in deciding when and how to follow that advice, I hope you now know about even more tools that are at your disposal.