Microsoft's New Security Update Procedure
According to the Microsoft Security Bulletin Search site (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp), this year Microsoft published 51 security updates across all product lines, or an average of 4 per month. Of the 51 updates, 25 were for the Windows 2000 platform and 15 were for Windows Server 2003 during the 6 months after the product hit the street. During 2003, we also digested and assimilated 6 cumulative updates for the supported versions of Microsoft Internet Explorer (IE) on every system in the enterprise. In case you missed it, Microsoft released the latest security rollup for IE on November 11. For information about the latest rollup, which has a rating of critical, see Microsoft Security Bulletin MS03-048 (Cumulative Security Update for Internet Explorer) at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/Bulletin/MS03-048.asp.

In response to customer feedback about the security update process, affectionately referred to as drinking from a fire hose, Microsoft made four important changes to the management and publication of security updates, effective October 15, 2003. To reduce the constant stream of alarming bulletins, with the attendant frantic activity associated with the download, evaluation, and deployment of four or more updates per month, Microsoft now publishes security bulletins and code updates on the second Tuesday of every month. According to the "Revamping the Security Bulletin Release Process" white paper (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/revsbwp.asp), Microsoft will make exceptions to the monthly release schedule for emergency situations when the security team determines "that customers are at immediate risk from viruses, worms, attacks or other malicious activities. In such a situation Microsoft may release security patches as soon as possible to help protect customers."

You can get an overview of monthly updates on the Microsoft Security Bulletin Summaries page (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/summary.asp). The "Microsoft Windows Security Bulletin Summary for November, 2003" (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/winnov03.asp) contains a brief description of three security vulnerabilities that affect Windows Me and later. The "Microsoft Office Security Bulletin Summary for November, 2003" (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/offnov03.asp ) documents a hotfix that closes vulnerabilities in Microsoft Word and Microsoft Excel in several versions of Microsoft Office. The summary includes hotlinks to the official bulletin for each update at which you can read details about the flaw, learn about a worst-case scenario that might occur as a result of the vulnerability, find available workarounds or mitigation procedures, and download the patch.

To centralize documentation about each security patch and to reduce the confusion that the difference between a security bulletin and the related Knowledge Base article causes, Microsoft now documents all information about each hotfix in the official security bulletin; previously the company split the documentation between the security bulletin and a Knowledge Base article. The company continues to publish a Knowledge Base article that cites the security bulletin as a source; however, the article is a reference only--it contains no documentation other than a link to the security bulletin.

According to the "Revamping the Security Bulletin Release Process" white paper, Microsoft expanded the security bulletin notification process to better accommodate enterprise customers and end users. Enterprise users can receive all security bulletins; end users and retail customers can restrict receipt to bulletins that affect only the OS and Office applications. To subscribe to email-based security bulletins, visit the Security Notification Service page at http://register.microsoft.com/subscription/subscribeme.asp?id=135. The form on this page doesn't let you restrict the bulletins you want to receive, so it appears that Microsoft hasn't yet implemented the end-user version of the security bulletin service.

I see several potentially positive outcomes from the streamlined security update procedure. First, as security folks know, most vulnerabilities don't pose an immediate threat and thus can be managed reasonably well on a monthly maintenance cycle. Second, the inclusion of workarounds and mitigation procedures is a great help because many flaws can't be exploited if you have a properly configured firewall to screen network traffic. Third, although the white paper doesn't address the effect of the monthly cycle on Windows Update, because Microsoft will publish security hotfixes on the second Tuesday of every month, you can reconfigure the Automatic Update client to download updates monthly, rather than weekly or daily, drastically reducing the bandwidth users need to keep systems current and secure. Likewise, if you run your own Microsoft Software Update Services (SUS) server, the monthly cycle cuts down on the internal bandwidth required to distribute hotfixes across the enterprise.

Improved Office Update Inventory Tool
In November, Microsoft released an improved version of the Office Update Inventory Tool that audits the hotfix status of Office 2003, Office XP, and Office 2000. Office Update Inventory Tool 2.0, which incorporates many of the Microsoft Baseline Security Analyzer (MBSA) self-updating features, automatically downloads new inventory tool components when the existing files are out of date, downloads the most current catalog of published hotfixes for each version of Office, and produces an XML report that contains a description of and links to missing hotfixes or hotfixes that have been superceded by more recent updates. Version 2.0 contains one catalog instead of hundreds of .cif files, can audit the hotfix status of Office installations in a variety of languages, and produces output reports in four languages, including English, French, German, and Japanese.

Unlike MBSA--which can audit the status of the OS on one system, a group of systems, or all systems on a network from one system--you must run the inventory tool's detection engine locally on each system that you want to audit. You can install and run the detection engine on each system, or you can run the inventory utility from a network share. Using command-line arguments, you identify the catalog's location, the output report's location, and the language preference for the output report.

If you want to experiment with the latest version, you need to download the tool's executable files and the most recent Office update catalog. The "Office Update Inventory Tool 2.0 Checks Installations for Updated Status" Web page (http://www.microsoft.com/office/ork/2003/journ/offutoolv2.htm) contains the download links and instructions about how to install and run the utility locally or from a network share, and documents the procedure you follow to convert the output to XML format.