Every month I get to review Windows patches, assign risk expectations, and start rolling out patches. I want to quickly highlight some of my sources of information on Windows patches.
The ISC is usually my first stop because they have a nice, compact grid that gives me a very quick overview of how many patches have been released and maybe how big a deal they may be (here’s August’s post). I really dig the mention of any active exploits in the wild.
2. Microsoft Bulletins
Obviously Microsoft’s patches are released with accompanying bulletins like this one from August 11 for MS09-039. Since I want technical information most of the time, I dig right into the Mitigations, Workarounds, and FAQ sections. If a CVE is involved, I’ll often check it out as well, along with other links in those (often vague!) advisories.
3. Microsoft Security Response Center (MSRC)
Microsoft has come a long way in their disclosure of patch and vulnerability detail. It’s like we’ve been out in the cold for years, but now every month we get a mug of hot chocolate with our patches, and it truly warms the soul. Not only is there a wealth of information here now, but I totally missed that they also do webcasts where they describe patches and common questions regarding them.
4. Microsoft’s Security Research & Defense Blog
This blog does not go over every single vulnerability or patch, but often goes into deep dives on some of the more important ones. In between patches, they also drop other information of interest to security geeks. Both this and the MSRC, in my mind, are indispensible right now.
5. The rest of the blogosphere.
I then tend to pick and choose other sources of information from my RSS feeds list. Some blogs post regularly every month, others are far more hit-and-miss, but I have no problem feeding my continued desire to read anything and everything.