Microsoft abruptly dumps public Patch Tuesday alerts

08.01.2015
For the first time in a decade, Microsoft today did not give all customers advance warning of next week's upcoming Patch Tuesday slate. Instead, the company suddenly announced it is dropping the public service and limiting the alerts and information to customers who pay for premium support.

"Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and Web page," wrote Chris Betz, senior director at the Microsoft Security Response Center (MSRC), the group responsible for the warnings.

The change also applies to the occasional alerts that Microsoft issued when it gave customers a heads-up about an impending emergency patch. ANS will no longer provide public alerts for those "out-of-band" updates.

Security professionals torched Microsoft over the change.

"They've gone from free to fee, and for really no particular reason," said Andrew Storms, vice president of security services at New Context, a San Francisco-based security consultancy, in an interview. "It doesn't make sense."

And Ross Barrett, senior manager of security engineering, at Rapid7, let loose with both barrels. "This is an assault on IT and IT security teams everywhere," Barrett said in an email reply to questions. "Making this change without any lead time is simply oblivious to the impact this will have in the real world. Honestly, it's shocking."

The no-longer-available alerts from the "Advanced Notification Service," or ANS, have been a part of Microsoft's monthly security apparatus for the last 10 years, Storms estimated. Those alerts appeared on Microsoft's website on the Thursday before the next Patch Tuesday, the tag for its monthly security update schedule.

Microsoft will still issue those updates next week -- on Jan. 13, at approximately 10 a.m. PT -- but only some customers will receive the pre-Patch Tuesday warnings, including today's. The warnings listed the number of updates and what products they would affect, and described the severity of the underlying vulnerabilities.

Betz explained the sudden disappearance of a public ANS by saying that customers weren't using it.

"Customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimized testing and deployment methodologies," said Betz. "While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically."

Microsoft prefers to call its monthly security release "Update Tuesday," apparently believing "Patch Tuesday" carries negative connotations.

Storms wasn't buying Betz's explanation. "I don't get it. It's the wrong economic model," said Storms. "They say no one was using it, so now they're going to charge for it"

"Privatizing ANS to Premier and paid support protection programs only reiterates that Microsoft wants all of the pie, and will force organizations to pay," added Tim Byrne, product manager at Core Security, in an email.

Storms said that pulling the ANS plug was probably part of the reorganization that Microsoft has been implementing since 2013, but particularly since the large layoffs of mid-2014. For example, the Trustworthy Computing security group was shut down last September, with some staff let go and others beating a path to the door for new jobs. Others were parceled out to the company's cloud computing and legal teams.

"We know that there are a lot fewer folks at Microsoft," said Storms, referring to the layoffs and the shuttering of the Trustworthy Computing Group. "With X-percent fewer employees, I think they're just trying to make ends meet."

One result: ANS going from free to paid.

In hindsight, ANS's vanishing act shouldn't have been a shock. In November, for instance, Microsoft discontinued its long-running post-Patch Tuesday webcast, where senior security engineers and managers walked through the month's updates in detail.

Jonathan Ness, senior development manager at MSRC, and Dustin Childs, group manager of response communications -- who did the final webcast in November -- have both left Microsoft, illustrating Storms' point about staff reductions.

In a tweet today, Childs simply said, "Wow. #ANS now for premier customers only," about the change.

ANS was valuable, Storms maintained, and not only to the large corporations that will continue to receive the alerts as part of their Premier Support contracts.

"ANS was very useful for preparation before Patch Tuesday," said Storms. "It gave you time to make a VM [virtual machine] with the correct version of something so you could test the patches when they came out. There are definitely organizations that have relied on it."

The ramifications of the new ANS policy are hard to gauge, said Storms, but he worries about the trend in Redmond.

"I'm really surprised," said Storms. "It's very uncharacteristic of the Microsoft we've come to know and appreciate. They spent years gaining a foothold in the security community, changing how they were viewed in the industry, and they continued to add information and make ANS more valuable over time."

Others were more blunt. "Microsoft is basically going back to a message of 'just blindly trust' that we will patch everything for you," said Barrett of Rapid 7.

"Microsoft takes some control away from the users [with] this transition," argued Jon Rudolph, principal software engineer at Core Security, in an email. "By making this switch, Microsoft is ... hiding their security report card from the general public."

Microsoft left the door ajar in one aspect: While ANS won't issue warnings of out-of-band patches, the company said it could use other unspecified ways to communicate with customers.

"The changes announced today apply to all Advance Notification Service (ANS) communications," a Microsoft spokesman said in an email response to questions about ANS's former role in distributing emergency alerts. "If we determine broad communication is needed for a specific situation, we'll take the appropriate actions to reach customers."

(www.computerworld.com)

Gregg Keizer