Microsoft Makes Advanced Patch Notification A Premium Offering

Businesses that begin planning for Microsoft’s monthly patching cycle a week in advance will now have to pay a premium to get a preview of pending security bulletins.

Microsoft said it is restricting its freely available Advanced Notification Service (ANS) to its Premier customers and current organizations in its Active Protections Program. The change to the service, which has been available for more than a decade, eliminates the broad distribution of upcoming security bulletins and impacted products and services. It's a decision that has roiled some vulnerability and patch management experts, who are concerned that it could have unintended consequences.

Microsoft said many of its large customers indicated that they no longer use the notification service. Larger organizations have optimized testing and deployment methodologies, and midmarket companies are using cloud-based systems to provide continuous updating, said Chris Betz, who heads the Microsoft Security Response Center.

[Related: Breach Stats Prompt Need For Vulnerability, Configuration Assessment: Report]

Sponsored post

"While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically," Betz wrote in an announcement on the Microsoft Security Response Center blog. "Rather than using ANS to help plan security update deployments, customers are increasingly turning to Microsoft Update and security update management tools, such as Windows Server Update Service, to help organize and prioritize deployment."

Solution providers told CRN that there could be some disruption. There are some companies that have staff using best practices who used the advanced notification for planning purposes, said Rob Kraus, director of research at managed security services provider Solutionary, a subsidiary of NTT Group.

"Some businesses like to forewarn internal teams, so this may be shortening that runway for network admins who may not subscribe to Premier support," Kraus said. "For those companies that actually test their packages before they deploy them, this could cause some issues."

Most security services providers are not impacted by the announcement. As a member of Microsoft Active Protections Program, Solutionary and other approved security service providers get an advance look at telemetry data to determine how broad the flaws impact systems. The security team evaluates detection scripts and technical indicators, and sometimes writes its own detection logic, Kraus said.

Other industry vulnerability and patch management experts expressed concern about Microsoft's decision. It disregards patching best practices that organizations should be following, said Ross Barrett, senior manager of security engineering at Rapid7. Barrett said businesses should consider the issues that can arise when using an automatic update to apply system patches. A patch not thoroughly tested could cause custom applications and third-party services to fail and disrupt employee productivity.

"This is an assault on IT and IT security teams everywhere," Barrett said. "Making this change without any lead-up time is simply oblivious to the impact this will have in the real world. Microsoft is basically going back to a message of 'just blindly trust' that we will patch everything for you. Honestly, it's shocking."

Microsoft is encouraging Premier support subscribers to tailor security bulletin information using a new feature called MyBulletins. The feature scales down the amount of information provided to only applications running in the environment. Customers are seeking to cut through the clutter and obtain security information tailored to their organizations, said Microsoft's Betz.

It’s still problematic for the security community at large, which may have been following the advanced notification, said Jon Rudolph, principal software engineer at Core Security. By restricting the advanced notification, Microsoft is making its patching cycle less transparent, Rudolph said. Vulnerabilities are used to help guide customers about the quality of Microsoft software and the threats posed to it, Rudolph said.

"By encouraging users toward the new myBulletins, Microsoft takes some control away from the users on this transition," Rudolf said. "By making this switch, Microsoft is not just cutting through the clutter -- they are hiding their security report card from the general public."