Skip to main content

Frequently Asked Questions about the Security Bulletin Search Tool

What does the Security Bulletin Search Tool do?

The Security Bulletin Search Tool lets you easily and quickly find the security updates available for Microsoft products. The tool was recently updated in March 2012. Microsoft Security Bulletins provide information and guidance about updates that are available to address software vulnerabilities that may exist in Microsoft products. A security bulletin contains information about any product vulnerability that could result in multiple customers systems being impacted. Security bulletins include the following:

  • Details of all affected products
  • A list of frequently asked questions
  • Information about workarounds and mitigations
  • Any other information that IT staff needs to address the vulnerability.

With each security bulletin that is released, there is an associated software update available for the affected product. Learn more about the monthly security bulletin update release process.

 

What updates were made to the Search Tool in March 2012?

The search tool was updated in March 2012. Now you can filter bulletins by product, component, bulletin number, bulletin KB number, update package KB number, or CVE number. You can also set a start date and end date to see bulletins within a specific date range. Finally, you can download more comprehensive information about the security bulletins in an Excel file.

  • Search by product or component: More bulletins are displayed when you search on a given product because the new search tool finds updates for components that shipped with the product as well as updates for the product itself.
  • Search for updates that have not been replaced by a more recent update: This makes it easier to find only those security updates that you need while helping you get the latest fix available.
  • Comprehensive information: The search results display information including severity rating, bulletin number, and publish date. You can download a separate file with more even information such as CVE numbers, update package KB numbers, and reboot information. For more information, see http://go.microsoft.com/fwlink/?LinkId=245778.
  • Time-sensitive searches: You can perform time-sensitive searches for security bulletins by selecting any start date or end date.
  • Search by number: You can search by bulletin number, common vulnerabilities and exposures (CVE) number, bulletin KB number, or update package KB number.

 

How do I use the Security Bulletin Search Tool?

The Product/Component box lets you select the product or component that you want update information for. Select "All" to see the updates available for all Microsoft products, or select a particular product to see only the updates available for it.

Once you select a product or component, you can also search only for the most recent updates. This allows you to filter the search to only show those updates you need to deploy. Note that this option (to search for the most recently updates only) is available only if a product or component has been selected.

You can use the Release Date Range to show only those bulletins issued within a particular time frame. You can also search for bulletins by the bulletin number, CVE number, bulletin KB number, or update package KB number. Image 2 shows the search by number textbox.

 

How do I send feedback about the Security Bulletin Search Tool?

If you have feedback about the bulletin search, use the Contact Us link at the bottom of the TechNet Security website, and then click Content or Web Site Suggestions, Requests, Comments, and Feedback, and let us know what you think. If you're an enterprise customer, share your feedback through your technical account manager (TAM).

 

What do the results mean?

The output from the search lists the security bulletins that provide updates or workarounds for the product and service pack combination you've selected. Let's look at two examples:

  • Suppose you select Windows 7. The search results list all security bulletins providing updates or workarounds that can be installed on a Windows 7 system.
  • Suppose you select Internet Explorer 9 as the product, and check the box to "Show most recent updates only". The search tool lists only the Internet Explorer 9 security bulletins that have not been replaced by a more recent update.
  • Suppose you select a date range of January 1, 2012 through the current date. The search results list security bulletins that were published after January 1, 2012.

 

Why can I not use the "Show most recent updates only" setting?

You must first select a product or component to enable this setting. Bulletins are not replaced, only updates are.

 

What is the difference between an update and a bulletin?

A bulletin is an announcement that a new update has been issued. A bulletin might cover one or more updates and discusses the vulnerability fixed by the updates. Typically, a bulletin announces updates for several products within the same product family. For example, a typical Windows security bulletin might include updates for Windows 8, Windows 7, Windows Server 2008 R2, Windows Vista, Windows 2003, Windows 2000, and Windows XP, and any other Windows products as appropriate. Each update is product-specific and might replace other updates issued earlier for that product in another bulletin. It’s important to note that, while the search tool displays bulletins, it filters your search based on the updates announced in that bulletin.

 

Why do the results show "Bulletin Rating"?

Bulletins often contain updates for several products. An update may have a high severity for one product and a lower severity for another.

For example, the issues discussed in MS12-010 were Critical for Internet Explorer 7 and for Windows XP Service Pack 3, but were only Moderate for Windows Server 2003 because Internet Explorer 7 is installed on that operating system in a locked-down configuration that prevents these issues from being exploited.

A bulletin's severity rating equals the highest update severity among all updates within the bulletin.

 

Why don’t I see my product listed?

Only products that have an update released for them appear in the list. If your product is not listed, there are no updates for it.

 

What is the Severity Rating System?

The severity rating system provides a single rating for a vulnerability in a software product. The definitions of the ratings are:

RatingDefinition
CriticalA vulnerability whose exploitation could allow the propagation of an Internet worm without user action.
ImportantA vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources.
ModerateExploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.
LowA vulnerability whose exploitation is extremely difficult, or whose impact is minimal.

For more information, see Microsoft Security Response Center Security Bulletin Severity Rating System.

 

I'm not running the latest service pack. If I apply all the updates listed on the search page for my product and service pack, are my security fixes up-to-date?

Not necessarily. If you’re running a product or service pack that is not supported by Microsoft’s product lifecycle policies, your system may not be secure even if you apply all the updates provided by the search tool. Microsoft generally develops updates only for the current and next-to-current versions of a product and the current and next-to-current service packs for each. If you are using a product or service pack that is no longer supported, a update might not be available for it, even though it might be affected by the vulnerability. Read more about Microsoft’s product lifecycle policies.

Occasionally, a security fix is included in a service pack and not made available as a update. For example, Microsoft might take this step if a fix is so complex that it requires the level of regression testing that can only be applied to a service pack. In addition, some security updates can only be installed on recent service packs because of dependencies on particular versions of the product files.

To ensure that you have the latest set of security fixes, you should install the latest service pack and then apply the updates appropriate for your product and service pack.

 

I noticed there are updates recommended for a service pack that is not released yet. Why wouldn't these fixes be included in the service pack? Does this mean I must install these updates after I install the service pack?

Whenever we develop a service pack, we must establish a cutoff date after which we don't include any additional changes. This ensures that there is adequate time to test the service pack before releasing it to the public.

Security updates that are released after the cutoff date are not included in the service pack and should be applied to systems even after the service pack has been applied. If you apply these updates to your system prior to installing the service pack, you do not need to install them again after applying the service pack. The service pack will not overwrite these files.

 

Am I better off applying security updates or service packs?

You should apply both.

Security updates are released to address specific security vulnerabilities. Many times, these vulnerabilities are not applicable to a specific installation. You should carefully read each security bulletin to determine if the update is applicable to your situation.

Service packs, on the other hand, are planned releases that contain fixes for both security and non-security issues. Service packs should be applied to your system to ensure you have the latest version of fixes available for your product. More information on the choice between service packs and updates is available in the security essay, " Why Service Packs Are Better Than Patches".

 

I'm running the latest service pack, and I've installed all of the updates. Does this mean my system is fully secure?

No. Applying updates is a critical step toward having a secure system, but it's not sufficient by itself. Even a fully updated system might be insecure if it's not configured appropriately for its role.