We all have been dealing with Security updates for years now so I thought let me refresh some of the information once again with this FAQs.
How can I get information about security vulnerabilities in Microsoft products and services?
- The Security Update Guide is the authoritative source of information for Microsoft security updates. The SUG helps IT professionals understand and use Microsoft security release information, processes, communications, and tools so they can manage organizational risk and develop a repeatable, effective deployment mechanism for security updates.
- Accessing the Security Update Guide data: You can customize your views and download affected software spreadsheets, as well as access data via a RESTful API.
Security Update Guide tutorials: A series of Security Update API demo videos have been published on the Microsoft Support YouTube channel. The series will walk you through how to access the API and how to retrieve security update data using the API.
When does Microsoft release security updates?
- Microsoft schedules the release of security updates on “Patch Tuesday,” the second Tuesday of each month at 10:00 AM PST.
- Depending on time zone(s) in which the organization operates, IT pros should plan their deployment schedules accordingly. Please note that there are some products that do not follow the Patch Tuesday schedule.
Can I receive notifications when new security updates are available?
- Microsoft sends out a notification whenever there is material information that affects customers’ security. If security changes are required, Microsoft releases a security update which includes all of its supporting collateral such as the Security Update Guide and Knowledge Base article. Otherwise, Microsoft communicates via several methods (for example, a security advisory or a blog post) on the matter that affects customers’ security and provides guidance along the way.
Microsoft Technical Security Notification Services
- Microsoft’s free monthly Security Notification Service provides links to security-related software updates and notification of re-released security updates. You can choose between basic and comprehensive formats. These notifications are written for IT professionals, contain in-depth technical information, and are digitally-signed with PGP.
- Subscribe at https://www.microsoft.com/msrc/technical-security-notifications
Microsoft Security Response Center (MSRC) blog alerts
- The MSRC blog provides a real-time way for the MSRC to communicate with IT pros. The MSRC uses this blog to disseminate important and material security communications to help IT pros understand Microsoft security response efforts; updates during the early stages of security incidents; and regular postings for the vulnerabilities release cycle: https://msrc-blog.microsoft.com/
MSRC Twitter: @msftsecresponse
- MSRC uses a verified Twitter account to post brief notifications about security updates, security advisories and other security issues. Follow @msftsecresponse for fast access to the latest information.
Where can I find the status of known issues?
- Microsoft subjects all security updates to extensive research, development, and testing processes, and released only when they meet an acceptable level of quality. As part of the risk assessment process, administrators often want to identify any known issues. Typically, these issues will be documented in Knowledge Base articles associated with the security updates at support.microsoft.com. These Knowledge Base articles accompany all security updates and advisories, and include caveats or known issues with security updates. Additionally, support engineers document common concerns from customers in these KB articles.
- These Knowledge Base articles are published the Security Update Guide with each release on Patch Tuesday.
Will the Security Update Guide be released in languages other than English?
Yes. Microsoft publishes localized security update release information on the Security Update Guide.
Will Microsoft continue to publish acknowledgements of the researchers who reported a vulnerability?
- Yes. You can find acknowledgements in the CVE Detail sections of the Security Update Guide. You can also see a list of all Acknowledgements here: https://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments
Will Microsoft continue to provide notification for out-of-band security update releases?
I’m not familiar with the CVRF format mentioned on the Developer page. What is this format and where can I get more information about it?
Microsoft has made the strategic decision to follow the CVRF Industry Standard for vulnerability reporting. You can learn more about CVRF and review the data schema at http://www.icasi.org/cvrf/
Do I need to be logged into my Microsoft account to use the Security Update Guide dashboard and API?
The Security Update Guide dashboard is available without logging in. If you click the Developer tab to access the API, you’ll be prompted to log in to your Microsoft account.
I have suggestions for how to improve the portal. Where should I send them?
- Thanks! You can post suggestions on the Security Update Guide Q&A forum.
How can I group related security updates?
- In the Security Update Guide, you can group related updates by combining the date filter with Product Category, Severity, and Impact filters. You can then download the results to CSV.
Are there monthly summaries of security updates?
- Yes, there is a Monthly Summary Page in the Security Update Guide here: https://portal.msrc.microsoft.com/en-us/security-guidance/summary
How can I assess the criticality of security updates?
To help customers understand the risk associated with each vulnerability, Microsoft provides the following data on the Security Update Guide:
- Impact: security threats of the vulnerability.
- Severity: Maximum potential impact of the attack. See more at Security Update Severity Rating System
- CVSS Score: Common Vulnerability Scoring System (CVSS)
- Publicly Disclosed: Marked YES when the vulnerability has been publicly disclosed before the release of the security update.
- Exploited: Marked YES when the vulnerability has been exploited before the release of the security update.
- Microsoft Exploitability Index: Potential exploitability of each vulnerability of Important or Critical severity associated with a Microsoft security update. See more at Microsoft Exploitability Index
Additional Microsoft resources to evaluate risk:
How can I deploy security updates?
Windows Update and Microsoft Update
- Security Updates are generally categorized as Important and will be downloaded and installed automatically.
Microsoft Update Catalog
- To get the standalone package for security update, go to the Microsoft Update Catalog website.
Windows Server Update Services (WSUS)
This update will automatically synchronize with WSUS if you configure Products and Classifications (Security Updates).
- Installation Logic: With automatic update technologies, detection and installation logic automatically manages the installation order of security updates. If you manually install security updates, please make sure to check the Security Update Guide and Knowledge Base article before installing.
- Patch compliance: Windows Update Agent (WUA) can be used to scan computers for security updates without connecting to Windows Update or to a Windows Server Update Services (WSUS) server, which enables computers that are not connected to the Internet to be scanned for security updates. For more info, see “Using WUA to Scan for Updates Offline”
- File size of security update: File size of each security update package is documented on the Windows Update catalog site.
Servicing Models of Windows: Windows uses a rollup model to bring a more consistent and simplified servicing experience. Learn more about the servicing model of Windows at:
- Windows 10 update servicing cadence
- Simplifying updates for Windows 7 and 8.1
- Further simplifying servicing models for Windows 7 and Windows 8.1
- More on Windows 7 and Windows 8.1 servicing changes
- .NET Framework Monthly Rollups Explained
- Simplified servicing for Windows 7 and Windows 8.1: the latest improvements
- Windows Server 2008 SP2 servicing changes
- Windows 7 servicing stack updates: managing change and appreciating cumulative updates
How can I troubleshoot issues with security updates?
- Please see this guided walkthrough which provides steps to fix problems with Windows Update, such as taking a long time to scan or error codes while installing updates.
- Also, Windows Release Information publishes known issues on Windows.
Why is the security bulletin ID number (e.g. MS16-XXX) not included in the Security Update Guide?
- The way Microsoft documents security updates has changed. The previous model used security bulletin webpages and included security bulletin ID numbers (e.g. MS16-XXX) as a pivot point. This form of security update documentation, including bulletin ID numbers, has been retired and replaced with the Security Update Guide. Instead of bulletin IDs, the new guide pivots on vulnerability ID numbers (CVE) and KB Article ID numbers.
How can I get information about the support policy for Security Updates?
- Updates will be supported for the duration of the product’s lifecycle. For more information about the support and servicing timeline for a specific product, please see the Lifecycle Product Database.
- Support end-day policy: In the event Microsoft releases a security update on the same day that a product is scheduled to end its lifecycle, security update supports will continue for a minimum of 30 days.
- Extended Security Updates: The Security Update Guide lists the vulnerabilities in the products with the Extended Security Updates. In order to receive the security updates, valid license for the Extended Security Updates is required. Please see the Extended Security Update FAQs for more information.