Businesses that begin planning for Microsoft’s monthly patching cycle a week in advance will now have to pay a premium to get a preview of pending security bulletins.
Microsoft said it is restricting its freely available Advanced Notification Service (ANS) to its Premier customers and current organisations in its Active Protections Program.
The change to the service, which has been available for more than a decade, eliminates the broad distribution of upcoming security bulletins and impacted products and services. It's a decision that has roiled some vulnerability and patch management experts, who are concerned that it could have unintended consequences.
Microsoft said many of its large customers indicated that they no longer use the notification service. Larger organisations have optimised testing and deployment methodologies, and midmarket companies are using cloud-based systems to provide continuous updating, said Chris Betz, who heads the Microsoft Security Response Centre.
"While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically," Betz wrote in an announcement on the Microsoft Security Response Center blog.
"Rather than using ANS to help plan security update deployments, customers are increasingly turning to Microsoft Update and security update management tools, such as Windows Server Update Service, to help organise and prioritise deployment."
Most security services providers are not impacted by the announcement. As a member of Microsoft Active Protections Program, approved security service providers get an advance look at telemetry data to determine how broad the flaws impact systems.
Other industry vulnerability and patch management experts expressed concern about Microsoft's decision. It disregards patching best practices that organisations should be following, said Ross Barrett, senior manager of security engineering at Rapid7.
Barrett said businesses should consider the issues that can arise when using an automatic update to apply system patches. A patch not thoroughly tested could cause custom applications and third-party services to fail and disrupt employee productivity.
"This is an assault on IT and IT security teams everywhere," Barrett said. "Making this change without any lead-up time is simply oblivious to the impact this will have in the real world. Microsoft is basically going back to a message of 'just blindly trust' that we will patch everything for you. Honestly, it's shocking."
Microsoft is encouraging Premier support subscribers to tailor security bulletin information using a new feature called MyBulletins. The feature scales down the amount of information provided to only applications running in the environment. Customers are seeking to cut through the clutter and obtain security information tailored to their organisations, said Microsoft's Betz.
It’s still problematic for the security community at large, which may have been following the advanced notification, said Jon Rudolph, principal software engineer at Core Security. By restricting the advanced notification, Microsoft is making its patching cycle less transparent, Rudolph said, and vulnerabilities are used to help guide customers about the quality of Microsoft software and the threats posed to it.
"By encouraging users toward the new myBulletins, Microsoft takes some control away from the users on this transition," Rudolf said. "By making this switch, Microsoft is not just cutting through the clutter - they are hiding their security report card from the general public."
This article originally appeared at crn.com