Microsoft Halts Advanced Notification of Patch Tuesday Updates to Public

Microsoft No Longer Making Patch Tuesday Advanced Notification Available for General Public

Microsoft has decided to ditch its tradition of publicly publishing information about upcoming patches the Thursday before Patch Tuesday.

The decision represents a drastic change for the company’s Advance Notification Service (ANS), which was created more than a decade ago to communicate information about security updates before they were released.

“Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and web page,” blogged Chris Betz, senior director of Microsoft Security Response Center. “ANS has always been optimized for large organizations. However, customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimized testing and deployment methodologies. While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically.”

According to Betz, instead of using ANS to help plan security update deployments, customers today are increasingly turning to Microsoft Update and security update management tools such as Windows Server Update Service to help organize and prioritize deployment. In addition, other customers are using cloud-based systems that provide continuous updating, Betz added.

“For Premier customers who would still like to receive this information, Microsoft will continue to provide ANS through their Technical Account Manager support representatives,” he added. “ANS will also continue to be provided to current organizations that are part of our security programs such as the Microsoft Active Protections Program.  For customers without a Premier support contract, we recommend taking advantage of myBulletins, which enables customers to tailor security bulletin information based on only those applications running in their environment.”

Responses to the move among some appear to be mixed.

“Hmmh, I personally have always thought that our customers were interested in the information contained in ANS, but we will see how that works out,” blogged Qualys CTO Wolfgang Kandek.

“I think for the people responsible for patching, it does cut clutter, as long as you don’t mind keeping Microsoft up-to-date on everything you’re running, and trust them to send all the right Bulletins,” said Jon Rudolph, principal software engineer at Core Security. “And if a customer’s security is to just use Windows Update, I suppose this is already the case. But if Microsoft is reversing the script here and stating ‘There may be new vulnerabilities that don’t concern you’ should that loss of visibility concern the security professional who is looking past the current patch?”

The vulnerabilities, Rudolph added, teach the public something every month about software, security, mistaken assumptions, the quality of the product and the threat landscape.

“I’m glad to see that they are willing to talk about the trends they observe in the existing system, but by making this switch, Microsoft is not just cutting through the clutter, they are hiding their security report card from the general public,” he said.