Microsoft's Security Update Guide To Report on CBL-Mariner Linux Vulnerabilities

Microsoft's Security Update Guide, which chronicles Microsoft's patch releases each month, is getting two relatively new additions.

First off, the Security Update Guide will soon list common vulnerabilities and exposures (CVEs) for Microsoft's CBL-Mariner Linux distribution, per a Friday announcement. CBL-Mariner is Microsoft's Linux-based operating system that's widely used with various Azure services.

Specifically, CBL-Mariner is getting added to the "Security Update Guide (SUG) Common Vulnerability Reporting Framework." Publication will happen "beginning January 11, 2023."

The coming CBL-Mariner vulnerability disclosures are expected to bulk up the amount of CVEs published by Microsoft, although the CVEs actually derive from various open source software projects.

"CBL-Mariner is built from a number of upstream open-source projects, so the majority of CBL-Mariner CVEs are authored and published by other organizations, also known as CVE Numbering Authority (CNA)," the announcement explained.

Second, Microsoft last month started displaying security updates in the Security Update Guide in association with its Hotpatch service fixes, as described in a late-December announcement. Per this new approach, the Security Hotpatch Update and its associated Security Update appear together in the same row. The two entries get labeled with slightly different Knowledge Base article numbers, though, it seems.

Hotpatch is an Azure Automanage capability that helps automate virtual machine management tasks without reboots because the patching occurs in memory. Patched applications are said to run without interruptions. Hotpatch, commercially released last year, is available for users of the Windows Server 2022 Datacenter Azure Edition product.

In general, Microsoft has been making subtle improvements to its Security Update Guide since a general revamp that was done a couple of years ago. The guide was said back then to have gotten more succinct wording. Microsoft of late seems to be including more Azure-specific CVEs in it as well.

Today, the Microsoft Security Update Guide is mostly a 100-page-plus generic boilerplate compendium that's published every "update Tuesday" (the second Tuesday of a month). Its listings are often insufficient for security professionals and others to understand the software flaws involved, but Microsoft does limit the descriptions -- for security reasons.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube