Security Experts Blast Microsoft For Pulling Patch Tuesday Notifications

Matthew Broersma,
microsoft

Microsoft will now provide its advance ‘Patch Tuesday’ alerts only to customers who pay for Premier support contracts

Microsoft has discontinued its free notices detailing monthly security updates in advance, saying the service was no longer being used by customers, but said the notices will still be available to paying customers.

The move was criticised by some security professionals, who said it would hinder organisations’ ability to quickly test and deploy Microsoft’s updates.

Windows keyboard

The Advance Notification Service (ANS), deployed more than a decade ago as part of Microsoft’s monthly patching programme, published a detailed list of upcoming patches on a publicly available web page, as well as alerts for emergency, unscheduled updates. The company said it will continue issuing the alerts, but only to paying customers.

“Moving forward, we will provide ANS information directly to Premier customers and current organisations involved in our security programmes, and will no longer make this information broadly available through a blog post and web page,” wrote Chris Betz, senior director at the Microsoft Security Response Center (MSRC), in a blog post.

He said the “vast majority” of customers don’t use ANS, due to “optimised” methods that allow them to wait for the patch release date to carry out testing and deployment.

“While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically,” Betz wrote.

‘Cut through the clutter’

Eliminating the notices is also intended to help organisations “cut through the clutter” by turning to services such as Microsoft Update or Windows Server Update Service to organise patch deployment, according to Betz. Customers can also sign up for myBulletins, a service that offers security alerts solely for applications running in a user’s environment, Betz said.

He said ANS will continue to be provided to customers with a Premier support contract through their Technical Account Manager support representatives and to organisations that are part of security programmes such as the Microsoft Active Protections Programme.

Some security professionals rejected Microsoft’s explanation for the move, saying the public alerts are widely used by IT security teams.

“Making this change without any lead up time is simply oblivious to the impact this will have in the real world,” stated Ross Barrett, senior manager of security engineering at Rapid7, who has published regular analyses of the notifications. “Microsoft is basically going back to a message of ‘just blindly trust that we will patch everything for you’.”

‘Assault’

He called the change, which was made with no advance notice, an “assault” on IT security teams.

Other industry observers said the change may have resulted from a broad reorganisation at Microsoft that began in 2013 and included large-scale layoffs in the middle of last year, with the Trustworthy Computing security group shut down in September. The reorganisation is itself the result of a broad industry shift toward mobile devices which has diminished the importance of Microsoft products such as Windows.

Prominent figures at MSRC have left Microsoft, including senior development manager Jonathan Ness and Dustin Childs, group manager of response communications. In November Microsoft discontinued a long-running webcast in which engineers gave details on the monthly updates.

Microsoft said ina statement that while ANS is no longer public, the company may also “take the appropriate actions to reach customers” if it determines that “broad communication” is needed for a specific situation.

Are you a security pro? Try our quiz!