Update (February 14th): Microsoft has delayed the release of their February 2017 security updates due to a last-minute issue. As always, we will provide timely coverage for the vulnerabilities once Microsoft has published the updates.
Next Tuesday (February 14th) will mark a major change in how Microsoft issues their security updates. Since October 2003, on the second Tuesday of each month (plus occasional bonus out-of-band updates) Microsoft has published a number of Security Bulletins detailing fixes to vulnerabilities in their software products. System administrators and security professionals are well familiar with identifiers of the form MS14-060, where the first two digits after MS refer to the year the bulletin was published and the last three increment over the course of the year. Each of these bulletins could include several vulnerabilities and/or Knowledge Base article identifiers (KBs).
After last month's atypically small number of bulletins, MS17-004 is the last of this format. Microsoft has announced that their new single destination for security vulnerability information will be their Security Updates Guide (still in "preview" as of this writing). Instead of publishing bulletins to describe related vulnerabilities, the new Updates Guide breaks down fixes by CVE identifier, KB number, and product.
What This Means For Nexpose Users
Nexpose's existing Windows Hotfix vulnerability content uses Microsoft's bulletin numbers, for example, MS16-151: Security Update for Windows Kernel-Mode Drivers (3205651). If you have any habits or workflows that assume identifiers or titles in this particular format (e.g. filtering by vulnerability title), they will not include Windows Hotfix content from this coming Patch Tuesday onward. The new format will be CVE-based, with identifiers of the form msft-cve-yyyy-nnnn. Legacy content will not be changed to reflect this new format. However, to take the above MS16-151 as an example, it would become two distinct vulnerabilities:
- Microsoft CVE-2016-7259: Win32k Elevation of Privilege Vulnerability
- Microsoft CVE-2016-7260: Win32k Elevation of Privilege Vulnerability
In case you are used to dealing with vulnerability IDs, these would be called msft-cve-2016-7259 and msft-cve-2016-7260 respectively.
Although this may take some getting used to, it will result in more accurate risk scores, as described in this blog post from when we introduced a similar change for Adobe, Debian and Ubuntu security advisories.
Check back next week after Microsoft issues February's updates; we will provide some more concrete examples of these changes, along with our standard analysis of the fixes.