Microsoft kills off security bulletins - for goodThursday, January 5, 2017
Microsoft’s last ever security bulletin is next week - so has the manual bulletin had its day?
Microsoft is to kill off security bulletins, with the last one set to be this next ‘patch Tuesday’, or Tuesday Jan 10. So has the bell tolled for the traditional security bulletin?
The company has been sending a monthly security bulletin on the second Tuesday of each month since June 1998, and has a live archive going back to 11/11/2008, but has now decided to stop the bulletins service.
In a blogpost Microsoft said: “our customers have asked for better access to update information, as well as easier ways to customize their view to serve a diverse set of needs. Security update information will be published as bulletins and on the Security Updates Guide until January 2017. After the January 2017 Update Tuesday release, we will only publish update information to the Security Updates Guide.”
Essentially, it’s now possible to slice and dice what had become an enormous morass of patches far more finely and effectively, which is no bad thing. Consider that in November 2016 Microsoft put out 14 Security Bulletins, which contained 55 different patches for different KB numbers, but grouped together in various ways. Those 55 security patches actually contain 175 separate fixes by platform, which is a whole lot of patching going on.
Arguably, Microsoft has the biggest mess to clear up here, so has been forced to take action earliest, but it wouldn’t be surprising for other software companies to follow suit in simplifying the patching process. For example, take Android, which now receives monthly patches. In January 2017 LG released their patch list before Google, with a total of 81 patches for vulnerabilities from Google and LG, with eight being specific to LG. Not only will Google be unimpressed by the early disclosure of these vulnerabilities, but that’s a fair number of patches to work through. Oracle’s last patch release was in October 2016, which contains 253 new security fixes across 76 product families.
Back in September WordPress issued a security release, fixing two key security issues (a cross-site scripting vulnerability and a path traversal vulnerability in the upgrade package uploader to be exact), along with 15 other bugs, and that’s just the core WordPress codebase, not including the many plugins. As Ilia Kolochenko, High-Tech Bridge CEO pointed out, WordPress plugins can present serious issues: “Vulnerable WordPress plugins are a very well-known source of vulnerabilities. Nowadays, critical RCEs and Arbitrary File Upload flaws are quite rare, but as we can see - they still exist and complement less dangerous but more frequent XSS and SQL injections.”
“Unlike core WordPress installation that is maintained and supported by a team of professionals, third-party plugins are often abandoned or release security patches with a significant delay. The best way to avoid security problems with plugins would be to stop using them, but if there is no such possibility - WordPress owners should rename or hide admin directory, implement two factor authentication (however, it won’t save them from RCE) and hide the admin panel. A simple WAF can be also a very good idea (however, it will not help against advanced vectors of XSS). Obviously, core WP installation and all plugins should be maintained up to date.”
There’s a handy reference list of security advisories here to boot. Although the importance of timely patching is a widely-acknowledged fact, the huge range of products in even a smaller SME still makes keeping on top of them a serious task. If this wasn’t the case, then Gartner’s stat of 99 per cent of exploited vulnerabilities being ones that have been publicly disclosed for at least a year wouldn’t be the case. Maybe 2017 will be the year that patching gets easier, but based on January so far, that seems like a distant hope...