Why Microsoft needs to realise forewarned means forearmed on security

Storm warning

Microsoft has taken the decision to keep its customers less informed about security issues, if a recent blog by Chris Betz, the senior director of the firm's Security Response Centre, is anything to go by.

The post revealed the software giant is to cease to offering users advanced warning about the software updates it plans to roll out during its monthly Patch Tuesday event, unless they pay.

"We are making changes to how we distribute ANS [Advanced Notification Services] to customers. Moving forward, we will provide ANS information directly to Premier customers and current organisations involved in our security programs, and will no longer make this information broadly available through a blog post and web page," Betz wrote.

If you happen to be part of the premium customer program, or a Microsoft Active Protections Program partner like many security vendors, then you will still get advanced warning. Everyone else can, apparently, go swivel.

I sincerely hope and expect the ANS information will be leaked online and published anyway, as this kind of advanced notification is vital to IT admins wanting to plan updates and patches, as downtime scheduling and immediate testing is only possible with advance warning.

If you are part of the Microsoft premium customer program, you will still get advanced warning. Everyone else can, apparently, go swivel.

Quite how anyone thinks it is helping the overall security posture of Microsoft to disengage from customers in this way, unless they open their wallets and become premium customers, is frankly beyond me. Transparency is something I have banged on and on about over the years, and while the updates will continue by muddying the waters ahead of their release, visibility of what's to come will be reduced, so unexpected accidents could happen.

All this move will accomplish is that organisations at the smaller end of the enterprise spectrum, who cannot afford to be a Microsoft Premium Partner, will be exposed to known vulnerabilities for longer periods than those who pay up as they will no longer be able to do the required legwork ahead of the release. Surely this is not rocket science? Surely this is obvious to Microsoft? Surely the only motivation behind this move is money?

Viewed in conjunction with the findings from a new ESET security report, which suggests Microsoft fixed almost twice as many vulnerabilities across the product range in 2014 than it did in 2013, I can only conclude that Microsoft has become disconnected from the important matter of customer security and trust.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.