Microsoft has decided to stop sending out email notifications to alert users about the latest Patch Tuesday security updates, in what appears to be a heavy-handed response to new Canadian anti-spam laws.
The email updates, which Redmond has been sending out for over a decade now, will be replaced by RSS feeds for those that want to continue receiving the vital patch information.
The notice read as follows:
“As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following:
* Security bulletin advance notifications
* Security bulletin summaries
* New security advisories and bulletins
* Major and minor revisions to security advisories and bulletins.”
Users can sign up to an RSS feed by going to the relevant Microsoft Technical Security Notifications page.
These feeds are split into “Basic Alerts”; “Comprehensive Alerts”; “Security Advisories Alerts”; and “Microsoft
Security Response Center Blog Alerts”.
July 1 is the same day that a tough new anti-spam law (CASL) comes into effect in Canada. However, it has been argued that Microsoft has over-reacted to the new legislation with its decision.
As Brian Krebs explained in a blog post, a CASL clause specifically exempts certain types of commercial email communications.
Specifically, this covers any emails which “warranty information, product recall information or safety or security information about a product, goods or a service that the person to whom the message is sent uses, has used or has purchased”.
This would appear to apply to Microsoft’s Patch Tuesday updates.
Redmond’s decision to shutter its widely read email notifications is all the more baffling given it was involved in the discussions which helped frame the new law.
Microsoft was also forced to warn users that cybercriminals may try to exploit its decision.
“If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites,” it added. “Microsoft does not distribute security updates via email.”