Microsoft abandons advance warnings of upcoming security patches

PCLast June, Microsoft upset many people who work in IT support departments by announcing that they would no longer send out security advisories via email.

Apparently the software giant was worried that the (really rather useful) emails might fall foul of Canadian anti-spam laws.

Fortunately, within a few days, Microsoft realised that it was being daft and did a u-turn. It *would* carry on sending email advisories about security updates after all.

Phew! That was a relief.

But now, six months later, Microsoft is giving everyone who has ever manned an IT support desk yet more heebie jeebies.

In a blog post, Microsoft has announced that it will no longer make advanced notification of upcoming patches available to the masses.

Microsoft blog post

"We are making changes to how we distribute ANS (Advance Notification Service) to customers. Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and web page."

In other words, "no-one was using ANS, so we're going to start charging customers for it".

Umm.. excuse me? How does that make any sense?

In short, unless you're a paid-up Premier customer of Microsoft, you're not going to get a heads-up from them in the days before Patch Tuesday. Not that they don't have the information, of course. It's just that they're only going to share it with their paying customers and partners.

The Advance Notification Service (ANS) has been with us for years, a familiar communication in the days running up to each Patch Tuesday.

Oh hang on a minute. Did I say "Patch Tuesday"?

Slap my wrists. I shouldn't call it Patch Tuesday anymore. Microsoft would like us to all call it "Update Tuesday" as you can see in the next quote from the blog post:

"Customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimized testing and deployment methodologies. While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically."

Come on Microsoft, don't make us laugh. Why not carry on making the information available for everyone who wants to know just how busy they'll be on the upcoming Patch Update Tuesday?

What possible reason would you have for wanting to prevent computer users and IT teams from having prior warning of what a regular bunch of updates (or indeed an emergency out-of-band patch) might contain?

Is it that you're worried that you're worried you might be left red-faced by pre-announcing a fix that doesn't then make it as planned in the Tuesday patches? We know you've had some problems with your planned security updates lately, but we forgive you...

You made a mistake last year when you said you were no longer going to send out email notifications of security updates. But you realised your mistake, and put it right.

Be the big guy, and admit you've got this wrong as well. For the better safety of the internet, and all the companies and home users attached to it, share your pre-notifications with more than just paying subscribers.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

2 Responses

  1. S Jackson

    January 10, 2015 at 3:20 pm #

    I agree, for safety reasons as well as pre-planning reasons these notifications should be made available to "all" internet users.

    • Andy Lee Robinson in reply to S Jackson.

      January 13, 2015 at 6:32 am #

      Update Tuesday? Weasel words from the marketing and image departments…

      If they ship it and it's flawed, they own it and should fix it.
      I think consumer law is pretty clear on this.

      Let's face it, we are all still paying for their ignorance of and cavalier attitude about security with Win95 and 98 that enabled the whole malware and virus industry to get going.

Leave a Reply