The Security Bulletin Search Tool lets you easily and quickly find the security updates available for Microsoft products. The tool was recently updated in March 2012. Microsoft Security Bulletins provide information and guidance about updates that are available to address software vulnerabilities that may exist in Microsoft products. A security bulletin contains information about any product vulnerability that could result in multiple customers systems being impacted. Security bulletins include the following:
With each security bulletin that is released, there is an associated software update available for the affected product.
Learn more about the monthly security bulletin update release process.
The search tool was updated in March 2012. Now you can filter bulletins by product, component, bulletin number, bulletin KB number, update package KB number, or CVE number. You can also set a start date and end date to see bulletins within a specific date range. Finally, you can download more comprehensive information about the security bulletins in an Excel file.
The Product/Component box lets you select the product or component that you want update information for. Select "All" to see the updates available for all Microsoft products, or select a particular product to see only the updates available for it.
Once you select a product or component, you can also search only for the most recent updates. This allows you to filter the search to only show those updates you need to deploy. Note that this option (to search for the most recently updates only) is available only if a product or component has been selected.
You can use the Release Date Range to show only those bulletins issued within a particular time frame. You can also search for bulletins by the bulletin number, CVE number, bulletin KB number, or update package KB number. Image 2 shows the search by number textbox.
If you have feedback about the bulletin search, use the Contact Us link at the bottom of the TechNet Security website, and then click Content or Web Site Suggestions, Requests, Comments, and Feedback, and let us know what you think. If you're an enterprise customer, share your feedback through your technical account manager (TAM).
The output from the search lists the security bulletins that provide updates or workarounds for the product and service pack combination you've selected. Let's look at two examples:
You must first select a product or component to enable this setting. Bulletins are not replaced, only updates are.
A bulletin is an announcement that a new update has been issued. A bulletin might cover one or more updates and discusses the vulnerability fixed by the updates. Typically, a bulletin announces updates for several products within the same product family. For example, a typical Windows security bulletin might include updates for Windows 8, Windows 7, Windows Server 2008 R2, Windows Vista, Windows 2003, Windows 2000, and Windows XP, and any other Windows products as appropriate. Each update is product-specific and might replace other updates issued earlier for that product in another bulletin. It’s important to note that, while the search tool displays bulletins, it filters your search based on the updates announced in that bulletin.
Bulletins often contain updates for several products. An update may have a high severity for one product and a lower severity for another.
For example, the issues discussed in MS12-010 were Critical for Internet Explorer 7 and for Windows XP Service Pack 3, but were only Moderate for Windows Server 2003 because Internet Explorer 7 is installed on that operating system in a locked-down configuration that prevents these issues from being exploited.
A bulletin's severity rating equals the highest update severity among all updates within the bulletin.
The severity rating system provides a single rating for a vulnerability in a software product. The definitions of the ratings are:
|Critical||A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.|
|Important||A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources.|
|Moderate||Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.|
|Low||A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.|
For more information, see Microsoft Security Response Center Security Bulletin Severity Rating System.
Not necessarily. If you’re running a product or service pack that is not supported by Microsoft’s product lifecycle policies, your system may not be secure even if you apply all the updates provided by the search tool. Microsoft generally develops updates only for the current and next-to-current versions of a product and the current and next-to-current service packs for each. If you are using a product or service pack that is no longer supported, a update might not be available for it, even though it might be affected by the vulnerability. Read more about Microsoft’s product lifecycle policies.
Occasionally, a security fix is included in a service pack and not made available as a update. For example, Microsoft might take this step if a fix is so complex that it requires the level of regression testing that can only be applied to a service pack. In addition, some security updates can only be installed on recent service packs because of dependencies on particular versions of the product files.
To ensure that you have the latest set of security fixes, you should install the latest service pack and then apply the updates appropriate for your product and service pack.
Whenever we develop a service pack, we must establish a cutoff date after which we don't include any additional changes. This ensures that there is adequate time to test the service pack before releasing it to the public.
Security updates that are released after the cutoff date are not included in the service pack and should be applied to systems even after the service pack has been applied. If you apply these updates to your system prior to installing the service pack, you do not need to install them again after applying the service pack. The service pack will not overwrite these files.
You should apply both.
Security updates are released to address specific security vulnerabilities. Many times, these vulnerabilities are not applicable to a specific installation. You should carefully read each security bulletin to determine if the update is applicable to your situation.
Service packs, on the other hand, are planned releases that contain fixes for both security and non-security issues. Service packs should be applied to your system to ensure you have the latest version of fixes available for your product. More information on the choice between service packs and updates is available in the security essay, " Why Service Packs Are Better Than Patches".
No. Applying updates is a critical step toward having a secure system, but it's not sufficient by itself. Even a fully updated system might be insecure if it's not configured appropriately for its role.