Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Microsoft abruptly dumps public Patch Tuesday alerts

Gregg Keizer | Jan. 9, 2015
For the first time in a decade, Microsoft today did not give all customers advance warning of next week's upcoming Patch Tuesday slate. Instead, the company suddenly announced it is dropping the public service and limiting the alerts and information to customers who pay for premium support.

"Privatizing ANS to Premier and paid support protection programs only reiterates that Microsoft wants all of the pie, and will force organizations to pay," added Tim Byrne, product manager at Core Security, in an email.

Storms said that pulling the ANS plug was probably part of the reorganization that Microsoft has been implementing since 2013, but particularly since the large layoffs of mid-2014. For example, the Trustworthy Computing security group was shut down last September, with some staff let go and others beating a path to the door for new jobs. Others were parceled out to the company's cloud computing and legal teams.

"We know that there are a lot fewer folks at Microsoft," said Storms, referring to the layoffs and the shuttering of the Trustworthy Computing Group. "With X-percent fewer employees, I think they're just trying to make ends meet."

One result: ANS going from free to paid.

In hindsight, ANS's vanishing act shouldn't have been a shock. In November, for instance, Microsoft discontinued its long-running post-Patch Tuesday webcast, where senior security engineers and managers walked through the month's updates in detail.

Jonathan Ness, senior development manager at MSRC, and Dustin Childs, group manager of response communications — who did the final webcast in November — have both left Microsoft, illustrating Storms' point about staff reductions.

In a tweet today, Childs simply said, "Wow. #ANS now for premier customers only," about the change.

ANS was valuable, Storms maintained, and not only to the large corporations that will continue to receive the alerts as part of their Premier Support contracts.

"ANS was very useful for preparation before Patch Tuesday," said Storms. "It gave you time to make a VM [virtual machine] with the correct version of something so you could test the patches when they came out. There are definitely organizations that have relied on it."

The ramifications of the new ANS policy are hard to gauge, said Storms, but he worries about the trend in Redmond.

"I'm really surprised," said Storms. "It's very uncharacteristic of the Microsoft we've come to know and appreciate. They spent years gaining a foothold in the security community, changing how they were viewed in the industry, and they continued to add information and make ANS more valuable over time."

Others were more blunt. "Microsoft is basically going back to a message of 'just blindly trust' that we will patch everything for you," said Barrett of Rapid 7.

"Microsoft takes some control away from the users [with] this transition," argued Jon Rudolph, principal software engineer at Core Security, in an email. "By making this switch, Microsoft is ... hiding their security report card from the general public."


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.