For those that have been in the industry for more a couple of years, you will remember when Microsoft retired the very powerful and well-documented security bulletins back in 2017. At the time, we felt that it was a severe reduction in the availability of information; Microsoft was suddenly communicating much less information. Yesterday, they did it again. As the leader of a vulnerability research team, I feel it is my responsibility to point out the shortcomings of this newest format.

If you didn’t read the MSRC blog on Monday, then when Microsoft dropped their patches this month, you were introduced to a very unexpected advisory layout. If you were paying attention, you didn’t get the five months’ notice they gave us before the 2017 change – you got 24 hours. If you don’t read their blog daily, you got no notice.

Microsoft’s blog on this new format claims to have no loss of information, but I feel that couldn’t be further from the truth. As soon as you look at Microsoft’s blog post, you can tell there’s going to be a loss of information, but a quick review of their infographic says otherwise. They argue that the typical three- or four-sentence description they previously provided maps to a few fields in the CVSS Score and the vulnerability name.

In the first example, they visually demonstrate that with this:

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.

To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could (Read more...)