From now on if you want to see what patches Microsoft is going to issue on Patch Tuesday you’ll have to pay for it.
The company’s Advanced Notification Service - the Thursday postings that thumbnailed the security bulletins the company would issue on Patch Tuesday – will only be available to Premier customers. For the past 10 years the service has been free to anyone who wanted to subscribe.
“Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and web page,” according to a post by Chris Betz, the senior director, of Microsoft’s Security Response Center.
Most customers, particularly the largest, don’t use the service much anymore, he writes, and most customers just wait until the actual bulletins are released on Patch Tuesday, which Microsoft now calls Update Tuesday.
Those who do take advantage of the advanced bulletins use them to evaluate the threats that will be addressed, determine whether their Microsoft products are affected, prioritize which patches to install and figure out how best to do so with minimal disruption.
Betz says the change is meant to help customers “cut through the clutter and obtain security information tailored to their organizations.”
But it also pushes customers toward using Microsoft’s automatic update services for software customers buy or toward relying on Microsoft cloud services that are patched as a matter of routine. “Rather than using ANS to help plan security update deployments, customers are increasingly turning to Microsoft Update and security update management tools such as Windows Server Update Service to help organize and prioritize deployment. Customers are also moving to cloud-based systems, which provide continuous updating,” he writes.
Microsoft will keep generating the information contained in the advanced notifications, but holding them for paying customers. “For customers without a Premier support contract, we recommend taking advantage of myBulletins, which enables customers to tailor security bulletin information based on only those applications running in their environment,” he says.
But some are critical of the move.
“The vulnerabilities teach us something every month about software, security, mistaken assumptions, and the quality of the product, and (indirectly) threats, whether we currently use that product or not,” says Jon Rudolph, principal software engineer at Core Security. “It would appear that the list is still available for a price, and by encouraging users toward the new myBulletins, Microsoft takes some control away from the users.”
Ross Barrett, senior manager of security engineering at Rapid7, who routinely examines and comments on and blogs about the notifications, is more harsh. “This is an assault on IT and IT security teams everywhere,” he says. “Making this change without any lead up time is simply oblivious to the impact this will have in the real world. Microsoft is basically going back to a message of ‘just blindly trust’ that we will patch everything for you. Honestly, it's shocking.”
Qualys CTO Wolfgang Kandek, who also closely follows the bulletins, was skeptical that demand for the advanced notices is waning. “Hmmh,” he writes in an email, “I personally have always thought that our customers were interested in the information contained in ANS, but we will see how that works out.”