Microsoft Slammed for Taking Patch Tuesday Private

Microsoft has been slammed by industry experts for its decision to make advanced security notices available only to those who pay a premium.

Redmond said that its Advance Notification Service (ANS) was changing to meet the evolving needs of customers and their technology environments.

It said in a statement:

“Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and web page.”

Microsoft claimed that “optimized testing and deployment methodologies” amongst the large organizations for whom ANS was intended means that the vast majority wait for Patch Tuesday or simply allow automatic updates, rendering the notifications redundant.

It added:

“More and more customers today are seeking to cut through the clutter and obtain security information tailored to their organizations. Rather than using ANS to help plan security update deployments, customers are increasingly turning to Microsoft Update and security update management tools such as Windows Server Update Service to help organize and prioritize deployment. Customers are also moving to cloud-based systems, which provide continuous updating.”

Premier customers who want it will still be able to receive the updates through their Technical Account Manager support representatives, whilst those without such a contract were urged to sign up to the personalized myBulletins service.

However, Rapid7 security engineering senior manager, Ross Barrett, claimed that the move was an “assault on IT and IT security teams everywhere.”

“Making this change without any lead up time is simply oblivious to the impact this will have in the real world,” he argued.

“Microsoft is basically going back to a message of ‘just blindly trust’ that we will patch everything for you. Honestly, it's shocking.”

Tim Byrne, product manager at Core Security, added that “Microsoft wants all of the pie and will force organizations to pay.”

“This of course will open even more sneaky back doors for the bad guys,” he said.

Byrne’s colleague and principal software engineer, Jon Rudolph, agreed with Microsoft that the move would remove clutter but aired similar concerns.

“It would appear that the list is still available for a price, and by encouraging users toward the new myBulletins, Microsoft takes some control away from the users on this transition,” he argued.

“I’m glad to see that they are willing to talk about the trends they observe in the existing system, but by making this switch, Microsoft is not just cutting through the clutter, they are hiding their security report card from the general public.”  

What’s Hot on Infosecurity Magazine?