Microsoft's patch info 'blockade' pinches security staffs

11.02.2015
Security experts yesterday were still frustrated about Microsoft's decision last month to halt advance warnings of each month's patch slate, with one calling it a "blockade" and another arguing that it makes it difficult for IT administrators to do their job.

"For the second straight month Microsoft is holding fast to their blockade of information," said Ross Barrett, senior manager of security engineering at Rapid7, in an email. "Microsoft called this an evolution, and I can certainly see why -- they are applying a squeeze to security teams that will eliminate the weak members of the herd."

On Jan. 8, Microsoft abruptly shuttered its Advanced Notification Service (ANS), which had posted alerts five days before the arrival of each month's Patch Tuesday collection of security updates. The warnings listed the number of updates and what products they would affect, and described the severity of the underlying vulnerabilities.

ANS had been part of Microsoft's security process for more than a decade.

Microsoft contended that customers no longer relied on ANS, but instead simply waited for Patch Tuesday, then automatically applied the updates. That's very common among consumers, but much less so for businesses.

Some were to still receive a heads-up, however. Enterprises that paid for premium support would continue to get some kind of warning.

But even those customers have been given short shrift, Barrett argued. "Customers with Premier support are getting a very sparse advance notification 24 hours before the [Patch Tuesday] advisories drop," he said.

Like the previous ANS, the advance notice sent to eligible customers -- a copy was seen by Computerworld -- listed the number of updates and what products they would affect, and described the severity of the underlying vulnerabilities. But as Barrett said, the notice, which was in table format, lacked the level of detail found in the pre-January alerts. The latter called out individual editions in a product line -- they might have rated, for instance, some Windows editions as "critical" but others, often servers, as merely "important" -- and provided additional context for the upcoming patches.

In November, for example, Microsoft told customers that bugs in the server side of Windows were not present in the client editions, but that the latter would be updated nonetheless to provide "additional defense-in-depth hardening" as protection against similar vulnerabilities that could pop up in the future.

The lack of ANS makes it tough on company IT and security staffs.

"Now in month two of no advance notification from Microsoft ... it is quite challenging to determine exactly what Microsoft recommends for deployment and how best to get that done," said Russ Ernst of Lumension.

Last month, Microsoft advised customers who would no longer receive advance notices to keep an eye on a dashboard, called "myBulletins," that the company rolled out in May 2014. But myBulletins doesn't preview the upcoming updates, posting items to users' pre-defined lists only after the bulletins have gone public on Patch Tuesday.

"myBulletins continues to be useless because it is not updated until well after the Patch Tuesday release," said Barrett.

Microsoft released nine security bulletins Tuesday to patch 56 vulnerabilities.

(www.computerworld.com)

Gregg Keizer