In-depth

Why Microsoft needs to realise forewarned means forearmed on security

Davey Winder explains why Microsoft is mad to halt its Patch Tuesday Advanced Notification alerts for all users

Storm warning

Microsoft has taken the decision to keep its customers less informed about security issues, if a recent blog by Chris Betz, the senior director of the firm's Security Response Centre, is anything to go by. 

The post revealed the software giant is to cease to offering users advanced warning about the software updates it plans to roll out during its monthly Patch Tuesday event, unless they pay.  

"We are making changes to how we distribute ANS [Advanced Notification Services] to customers. Moving forward, we will provide ANS information directly to Premier customers and current organisations involved in our security programs, and will no longer make this information broadly available through a blog post and web page," Betz wrote.

If you happen to be part of the premium customer program, or a Microsoft Active Protections Program partner like many security vendors, then you will still get advanced warning. Everyone else can, apparently, go swivel.

I sincerely hope and expect the ANS information will be leaked online and published anyway, as this kind of advanced notification is vital to IT admins wanting to plan updates and patches, as downtime scheduling and immediate testing is only possible with advance warning.

If you are part of the Microsoft premium customer program, you will still get advanced warning. Everyone else can, apparently, go swivel.

Quite how anyone thinks it is helping the overall security posture of Microsoft to disengage from customers in this way, unless they open their wallets and become premium customers, is frankly beyond me. Transparency is something I have banged on and on about over the years, and while the updates will continue by muddying the waters ahead of their release, visibility of what's to come will be reduced, so unexpected accidents could happen.

All this move will accomplish is that organisations at the smaller end of the enterprise spectrum, who cannot afford to be a Microsoft Premium Partner, will be exposed to known vulnerabilities for longer periods than those who pay up as they will no longer be able to do the required legwork ahead of the release. Surely this is not rocket science? Surely this is obvious to Microsoft? Surely the only motivation behind this move is money?

Viewed in conjunction with the findings from a new ESET security report, which suggests Microsoft fixed almost twice as many vulnerabilities across the product range in 2014 than it did in 2013, I can only conclude that Microsoft has become disconnected from the important matter of customer security and trust.

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

Black Friday's best antivirus deals
Security

Black Friday's best antivirus deals

27 Nov 2020
Veritas Access Appliance with IBM Spectrum® Protect
Server & storage

Veritas Access Appliance with IBM Spectrum® Protect

27 Nov 2020
Ransomware protection with Veritas NetBackup Appliances
Security

Ransomware protection with Veritas NetBackup Appliances

27 Nov 2020
Ransomware resiliency: The risks associated with an attack and the reward of recovery planning
Security

Ransomware resiliency: The risks associated with an attack and the reward of recovery planning

27 Nov 2020

Most Popular

80% of cyber professionals say the Computer Misuse Act is working against them
Security

80% of cyber professionals say the Computer Misuse Act is working against them

20 Nov 2020
Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
350,000 Spotify users hacked in credential stuffing attack
Security

350,000 Spotify users hacked in credential stuffing attack

24 Nov 2020