Microsoft is facing fierce criticism over its decision to make pre-notification of upcoming patches available only to paid subscribers.
The Advance Notification Service (ANS) formerly made information on upcoming software patches available to the public but from now on the information will be restricted to “premier” customers and some other select partners.
Chris Betz, senior director of the Microsoft Security Response Center, explained in a blog post that Microsoft was restricting distribution of the patching pre-alert out of a desire to reduce "clutter". Betz argued that the security heads-up notice was no longer of much utility to the majority of its customers.
We are making changes to how we distribute ANS to customers. Moving forward, we will provide ANS information directly to Premier customers and current organisations involved in our security programs, and will no longer make this information broadly available through a blog post and web page.
ANS has always been optimized for large organizations. However, customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimised testing and deployment methodologies. While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically.
More and more customers today are seeking to cut through the clutter and obtain security information tailored to their organizations. Rather than using ANS to help plan security update deployments, customers are increasingly turning to Microsoft Update and security update management tools such as Windows Server Update Service to help organize and prioritize deployment. Customers are also moving to cloud-based systems, which provide continuous updating.
Jon Rudolph, principal software engineer at Core Security, argued that rather than "just cutting through the clutter", Microsoft is "hiding their security report card from the general public".
"The vulnerabilities teach us something every month about software, security, mistaken assumptions, and the quality of the product, and (indirectly) threats, whether we currently use that product or not," said Rudolph. "It would appear the list is still available for a price, and by encouraging users toward the new myBulletins, Microsoft takes some control away from the users on this transition."
Ross Barrett, senior manager of security engineering at Rapid7, the developers of the Metasploit penetration testing tool, is even more critical.
“This is an assault on IT and IT security teams everywhere," Barrett commented. "Making this change without any lead-up time is simply oblivious to the impact this will have in the real world. Microsoft is basically going back to a message of 'just blindly trust' that we will patch everything for you. Honestly, it's shocking.”
In the absence of a published pre-alert, we don't know what patches or how many will appear on the first Patch Tuesday of 2015, which is due to drop on 13 January. Whether or not there will be a patch to address a local privilege escalation vulnerability in Windows 8.1 discovered by Google and published in late December is one key point of interest for next week, as noted in a blog post by Wolfgang Kandek, CTO of Qualys, here. ®