Don't use Microsoft's Security Update Guide (yet)
Microsoft announced a while ago that it plans to do away with the two-decade old security bulletin release scheme, and switch over to the Security Update Guide service instead for update information.
Planned for February 2017 initially, the change was postponed. We don't know why, but the postponing of security update releases for Windows and other Microsoft products in February may have had something to do with it.
In March 2017, Microsoft released security bulletins as if the previous announcement never happened. Coincidentally, we don't know why Microsoft postponed the February Patch day, the company never stated why.
Security Update Guide issues
The Security Update Guide will be the place to go for security update information in the future. There is little doubt that Microsoft will still go ahead with the planned change.
If you open the Security Update Guide right now, you will notice that it is already live. It lists release notes for February and March, and security updates that date back to mid-February 2017.
The site looks fine on first glance. You can filter the listing by date, product, severity, impact, or KB ID for instance, and also search in the results again.
If you look closely however, you will notice that Microsoft does not list all security updates there for a given operating system or product.
Take the recently released security update for Microsoft Internet Explorer, KB4012204 for instance. The bulletin lists KB4012204 for Internet Explorer 9, 10 and 11.
If you check the Security Update Guide, you will notice that Internet Explorer 10 and 11 are not listed there. If you search for the KB ID, you only get the listing for Internet Explorer 9 (which means Vista and Server 2008).
If you download security updates manually, you may miss out on this important Internet Explorer update as it is not included in the monthly security only update release for Windows 7, 8.1, 10, and the server versions.
As Woody notes, the Internet Explorer update is also not listed on the cumulative update history page for Windows 7 and Windows Server 2008 R2, nor for Windows 8.1 and Windows Server 2012, 2012R2.
The question is, how do you know about future updates that are released that are not mentioned by Microsoft in key locations?
This is not a problem for systems that are updated through Windows Update. The Internet Explorer patch is delivered along with other security updates in this case.
If you happen to install updates manually for Windows however, you may miss out on pages due to oversights by Microsoft.
In case you are wondering, the updates are listed on the Microsoft Update Catalog. The information that you need to install 4012204 is also listed on the KB4012213 KB4012212 KB4012215 KB4012216 pages of the security only quality update release.
Still, the fact that the information is missing on the Security Update Guide listing is a blunder by Microsoft that the company should address quickly. If it is intended to be your one-stop shop for all things security updates, it has to list them all.
Now You: How would you like Microsoft to handle update information?
I really no longer care what M$ does having recently switched over to Linux. (Yes, I’m one of those newly converted and enthusiastic Linux fans.) Must admit though, I’m grieving a little bit over M$’s suicide. They did at one time offer an excellent product.
+1
This Windows Update feature, with all its complications, has become such a mess that I hardly understand the very explanations of those who do understand … anyway, not concerned anymore, not that I’ve already switched to Linux as you did, Valborex, but because I just don’t “Winupdate” anymore. Yet, I remain curious to see to what depths Microsoft will dive.
@ Tom Hawack,
Curiosity not withstanding; Fasten your seat belt and hang on! It’s gonna be a wild and bumpy ride… ;>)
Me too +1. :)
But its better to dual boot Linux with Windows for now in case software or game you need only works on windows.
Use Linux for everything else, restrict usage of windows to software and games that don’t have Linux version yet.
@ dark
Or run Linux from an external USB hard-drive on a Windows OEM computer.
Imagine you are in Win 7 Group B who manually installs the post-Oct 2016 monthly Security-Only updates via M$ Update Catalog and you unexpectedly need to do a reinstall of Win 7 in Oct 2018(eg hard-drive failure), ie it may not be easy or impossible to locate all these cumulative updates for IE11. In this way, M$ may be wanting to force Win 7/8.1 Group B users to change to Group A “sheep” so that they can do away with monthly Security-Only updates = M$ can save some labor costs.
Presently, it seems, the Security Update Guide/SUG does not show any security updates from before Sep 2016. Imagine the SUG remaining as it is and the M$ Security Bulletins are done away with in April 2017.
I stopped updating last October because of the lack of clarity of what was contained within their updates.
That kind of behavior suggests to me that there are things that they don’t want their customers to know, so any
trust I may have had in M$ evaporated.
Same here. I keep a backup around and use common sense. I’m not going to update any “bundles” – even if they’re labelled “security only”.
@ Norm
Same here.
I think SuRun will provide better security on windows than Microsoft, its like sudo on Linux.
Can you review SuRun and make tutorial on how to configure it properly?
I think having this on windows software will be very important to prevent malwares and other suspicious programs from having admin rights by default.
https://sourceforge.net/projects/surun/
I do not think Microsoft is deliberately sabotaging Windows 7 and 8 update information. Microsoft expected the vast majority of consumers to accept the recommended monthly rollups via Windows Update. They understood that some IT Pros would choose the security-only bundle and WSUS is their go-to product. I think the lack of complete or clear info in the new Security Update Guide is just a sloppy oversight and can be easily addressed. If they do not address it quickly and appropriately, it will lead to assumptions and uncomfortable questions about their motives.
PR won’t fix it.
A clear statement that acknowledges the mistake is the best way to go. Let’s see if they make it simple, complicated or ignore the situation altogether. Place your bets.
LD, I agree with you. I think the execution of this was not orchestrated well. There is no Evil Empire conspiracy so we can now put away the tin foil hats.
What they could of done better is provide more documentation and provide a translation of what you saw with a security bulletin and this is how you would relate it to the security guide. Not articulated well at all.
The brighter spot is that they provided a REST api for the data, however they stumbled with the documentation of how the data is organized. Having a hard time finding something that describes the data and how it is organized. But this is definitely better than what was available previously (I have automated processes to report and release patches).
Linux guys…. Really? If you switched to Linux, good for you. Why are you commenting on a topic that you really no longer have any useful input on? I use both, I just don’t wear it like a badge showing it to everyone I can…
I think SuRun will provide better security than Microsoft, its like sudo in Linux.
Can you review SuRun and make tutorial on how to configure it properly?
I think having SuRun on windows will be very important step to prevent malwares and other suspicious from having admin rights by default.
https://sourceforge.net/projects/surun/
Thanks, Martin, for keeping us apprised of this development!
The Microsoft Malware update, kb2952664, was included again. Will this lead to automatically converting my computer to Windows 10?
That’s a telemetry update, nothing to do with GWX.
I need Windows 7, I just need to know if “Security-Only updates” are only security updates.
Your site provides all the info I need to keep my system up to date Martin.
As a thank you gift I’ve disabled my adblocker and anti-privacy trackers. :)
@Martin Brinkmann
> If you check the Security Update Guide, you will notice that Internet Explorer 10 and 11 are not listed there.
> If you search for the KB ID, you only get the listing for Internet Explorer 9 (which means Vista and Server 2008).
As the picture reveals, you’re using Google Chrome for your tests on Security Update Guide;
indeed, repeating the query showed in your screengrab I get the same as you in Chrome:
http://imgur.com/fSLPaHc
HOWEVER, in Mozilla Firefox 52 (customised to look like Internet Explorer),
the query works as expected:
http://imgur.com/xfYdHxn
So, it’s better to state that the Security Update Guide Service is not equally functional
with all types of browsers…
Best regards
Ah, you clicked on “security only” in Firefox, but not in Chrome. This reveals the updates for IE10 and IE11.
Apologies, my bad :-(
I was experimenting with the site previously and had ticked all “Show:” entries
under “Security Update”…
Cheers
Documentation is not updated yet for Windows 10 x64 KB4015438 but a “Check for Updates” does install it in about 25 minutes on my laptop, with winver then showing Version 1607 (build 14373.969). Microsoft Update Catalog does have KB4015438 available for download, but I can’t find out what it specifically addresses other than its 1 gig download size.
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4015438