January 9th, 2015, 22:32 PM
Microsoft abruptly dumps public Patch Tuesday alerts
For the first time in a decade, Microsoft today did not give all customers advance warning of next week's upcoming Patch Tuesday slate. Instead, the company suddenly announced it is dropping the public service and limiting the alerts and information to customers who pay for premium support.
"Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and Web page," wrote Chris Betz, senior director at the Microsoft Security Response Center (MSRC), the group responsible for the warnings.
The change also applies to the occasional alerts that Microsoft issued when it gave customers a heads-up about an impending emergency patch. ANS will no longer provide public alerts for those "out-of-band" updates.
Security professionals torched Microsoft over the change.
"They've gone from free to fee, and for really no particular reason," said Andrew Storms, vice president of security services at New Context, a San Francisco-based security consultancy, in an interview. "It doesn't make sense."
And Ross Barrett, senior manager of security engineering, at Rapid7, let loose with both barrels. "This is an assault on IT and IT security teams everywhere," Barrett said in an email reply to questions. "Making this change without any lead time is simply oblivious to the impact this will have in the real world. Honestly, it's shocking."
The no-longer-available alerts from the "Advanced Notification Service," or ANS, have been a part of Microsoft's monthly security apparatus for the last 10 years, Storms estimated. Those alerts appeared on Microsoft's website on the Thursday before the next Patch Tuesday, the tag for its monthly security update schedule.
Microsoft will still issue those updates next week -- on Jan. 13, at approximately 10 a.m. PT -- but only some customers will receive the pre-Patch Tuesday warnings, including today's. The warnings listed the number of updates and what products they would affect, and described the severity of the underlying vulnerabilities.
Betz explained the sudden disappearance of a public ANS by saying that customers weren't using it.
"Customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimized testing and deployment methodologies," said Betz. "While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically."
Microsoft prefers to call its monthly security release "Update Tuesday," apparently believing "Patch Tuesday" carries negative connotations.
Storms wasn't buying Betz's explanation. "I don't get it. It's the wrong economic model," said Storms. "They say no one was using it, so now they're going to charge for it?"
"Privatizing ANS to Premier and paid support protection programs only reiterates that Microsoft wants all of the pie, and will force organizations to pay," added Tim Byrne, product manager at Core Security, in an email.