Why Microsoft needs to realise forewarned means forearmed on security
Davey Winder explains why Microsoft is mad to halt its Patch Tuesday Advanced Notification alerts for all users
Microsoft has taken the decision to keep its customers less informed about security issues, if a recent blog by Chris Betz, the senior director of the firm's Security Response Centre, is anything to go by.
The post revealed the software giant is to cease to offering users advanced warning about the software updates it plans to roll out during its monthly Patch Tuesday event, unless they pay.
"We are making changes to how we distribute ANS [Advanced Notification Services] to customers. Moving forward, we will provide ANS information directly to Premier customers and current organisations involved in our security programs, and will no longer make this information broadly available through a blog post and web page," Betz wrote.
If you happen to be part of the premium customer program, or a Microsoft Active Protections Program partner like many security vendors, then you will still get advanced warning. Everyone else can, apparently, go swivel.
I sincerely hope and expect the ANS information will be leaked online and published anyway, as this kind of advanced notification is vital to IT admins wanting to plan updates and patches, as downtime scheduling and immediate testing is only possible with advance warning.
If you are part of the Microsoft premium customer program, you will still get advanced warning. Everyone else can, apparently, go swivel.
Quite how anyone thinks it is helping the overall security posture of Microsoft to disengage from customers in this way, unless they open their wallets and become premium customers, is frankly beyond me. Transparency is something I have banged on and on about over the years, and while the updates will continue by muddying the waters ahead of their release, visibility of what's to come will be reduced, so unexpected accidents could happen.
All this move will accomplish is that organisations at the smaller end of the enterprise spectrum, who cannot afford to be a Microsoft Premium Partner, will be exposed to known vulnerabilities for longer periods than those who pay up as they will no longer be able to do the required legwork ahead of the release. Surely this is not rocket science? Surely this is obvious to Microsoft? Surely the only motivation behind this move is money?
Viewed in conjunction with the findings from a new ESET security report, which suggests Microsoft fixed almost twice as many vulnerabilities across the product range in 2014 than it did in 2013, I can only conclude that Microsoft has become disconnected from the important matter of customer security and trust.