Systems administrators accustomed to Microsoft's verbose security bulletins got a change-up on April Patch Tuesday, as the company retired its bulletin IDs in favor of a new vulnerability reporting format via its Security Update Guide.
In preview since November, the Security Update Guide replaces the security bulletins that Microsoft had used since 1998. The new site allows admins to "view and search security and vulnerability information in a single online database," according to Microsoft. The company disclosed 45 vulnerabilities on its new vulnerability portal for April Patch Tuesday.
Instead of grouping related fixes under security bulletin ID numbers -- for example, MS17-008 -- the Security Update Guide lists vulnerability ID numbers and Knowledge Base article ID numbers.
"It was a learning curve, but I think with time, administrators and security teams will get used to the new format," said Amol Sarwate, director of vulnerability labs for Qualys Inc., based in Redwood City, Calif. "They'll get a holistic picture and see how things are interconnected with each other, and to get a general picture of what is being updated."
Some administrators will miss the security bulletin format, because it combined vulnerability reports and was easier to digest, Sarwate said. Now, organizations must learn how to format the reports themselves.
The decision to switch to the new vulnerability database was "to follow the ICASI Common Vulnerability Reporting Framework, the industry standard for vulnerability reporting," according to a Microsoft FAQ on the Security Update Guide.
Patch for Hyper-V
For April Patch Tuesday, Windows Server administrators should pay attention to several Hyper-V remote code execution vulnerabilities -- CVE-2017-0162, CVE-2017-0163, CVE-2017-0180 and CVE-2017-0181, Sarwate said. All the vulnerabilities are listed as critical.
The exploit occurs when an attacker runs a specially crafted application on a guest OS to allow the execution of arbitrary code on the Hyper-V host OS.
"The attacker can basically take control of the host operating system," Sarwate said.
Microsoft also provided updates for a known zero-day vulnerability in Microsoft Word, as well as vulnerabilities in Internet Explorer and Microsoft Edge. Administrators should issue these patches on the off chance that an employee uses Word or a browser on a Windows Server machine, Sarwate said.
Filtering feature helps narrow focus
The Security Update Guide format allows administrators to filter updates based on product, severity and impact to view only the vulnerabilities that affect their systems and help them prioritize patch rollouts. For example, a Windows Server 2012 R2 administrator can select just that product to see all its patches.
"From an administrator's point of view in larger organizations, those roles are pretty well-defined," Sarwate said. "Say I'm an Outlook administrator -- I can come in and search for Outlook CVEs [common vulnerabilities and exposures] and see those things that are affected, and then start applying the patches."
For more information about the remaining security vulnerabilities released on April Patch Tuesday, visit Microsoft's Security TechCenter site.
Dan Cagen is the associate site editor for SearchWindowsServer.com. Write to him at [email protected].
A roundup of Windows Server patches in 2017
Microsoft patching change draws mixed reactions
Streamline the server patching process