Yesterday, Microsoft delivered its first Patch Tuesday of 2015 which included one Critical update among eight total. This month, Microsoft focused on the Windows operating system, delivering fixes for flaws in Elevation of Privilege, Security Bypass, and Remote Code Execution. Additionally, the company's patching teams also produced a fix for an update that was released in December that caused Internet Explorer 9 to stop working. Ironically, the IE9 fix requires users to first have the bad patch installed before installing the fix.
It's no secret that the company spent much of 2014 having to fix its own patches. Microsoft's updates put customers on edge these days. After the releases were made available yesterday, patching administrators immediately started reporting an issue with their WSUS and WSUS-integrated patching mechanisms where error messages were received. SOAP errors with code 0X80131500 were reported pretty quickly. This eventually rectified itself, though. The problem turned out to be that Microsoft's staged delivery system just hadn't caught up with the demand yet.
You should already be aware that Microsoft ended a long-standing feature of its patching process, the Advance Notification Service. Each month, Microsoft would make available the list of updates that companies needed to prepare to receive and provide the list for public view. The service was valuable, yet Microsoft halted it suggesting it was not being used, that automated delivery is being utilized instead, and that more companies are moving to the Cloud where patching is no longer their concern. Based on the overwhelming number of comments in the communities after the program ended, Microsoft was sorely wrong. Don't expect the company to admit that, though.
Whenever Microsoft has eliminated a feature or service valuable to IT Pros in the past couple years (TechNet, TechEd, MMS, and others), the company has offered a replacement. As we've experienced, though, the replacement never quite meets the full capabilities or value of the original offering. And, such is the case, it seems, for the touted replacement for the Advance Notification Service.
My Security Bulletins Dashboard is what Microsoft proposed to replace the Advance Notification Service. If you look today, the Bulletins Dashboard is chock full of the updates release yesterday.
But, last night, when the updates released, the Bulletins Dashboard was blank for everyone, and it took several hours before anything current showed up. Bulletins released since 2008 are included in the tool, making it a valuable tool for organizations to view a historical view of security releases, but apparently, for those used to being forewarned about applicable updates, it's not a great substitute. Microsoft essentially substituted an early warning system with a belated birthday greeting. It's like powering a tornado warning system after the town has already been demolished.
Customers have already increased the length of their patch testing and deployment processes due to the past years update release woes. Now, without knowing what is coming beforehand, the patching process will need to be adjusted again. For those companies with patching admins that perform multiple tasks in the organization, the added time requirements may mean some computers never get updated. It seems Microsoft has taken a huge step backward when it should be working to improve its updating processes.