Changes to the Security Bulletin Advanced Notification Service

The Microsoft Security Response Center (MSRC) announced some changes to the Advanced Notification Service (ANS) which is basically a service anyone can subscribe to which provides notice on Thursday the week before each month's Tuesday security bulletin releases of the number, severity, and affected products for that month's security bulletins. The changes are additional detail that will be provided for each individual bulletin including:

  • Maximum Severity Rating
  • Impact of the Vulnerability
  • Detection Information
  • Affected Software

The changes are a good idea. The ANS is it is today is somewhat valuable in that it gives you some idea of what is coming on patch Tuesday but really only enough information to make high level staffing decisions ie. have ops staff primed for testing and deployment. With the additional information in the new service, you should be able to get more prepared since you'll know more of the specifics of each bulletin, how to detect if you are vulnerable, etc. It should help ops staff to have a more complete test and deployment plan ready to roll by each Tuesday.

The MSRC also announced changes to the Security Bulletins themselves to make them more readable and quicker to get the important parts like deciding applicability and finding direct links to the hotfix downloads. They've posted a sample of what the new bulleting format looks like here.