Many of us have come to rely on Microsoft to give us a “heads up” the week before their monthly release of security updates, so we could be prepared for just what would be coming down the pike at us a few days later. It came as a surprise, then, when the company greeted us on the Thursday prior to Patch Tuesday (the day they usually post a brief overview of the upcoming patches), with a blog post from the Microsoft Security Response Center (MSRC) team that says, in essence, they’re no longer going to do it.
Specifically, in Evolving Microsoft’s Advance Notification Service in 2015, Chris Betz says, “Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and web page.” In other words, no more security bulletin sneak previews for the general public.
The blog post suggests that users only care about those updates that directly impact them and their systems. When it comes to consumers, I won’t argue with that – but consumers weren’t the ones for whom the advance notifications were intended in the first place. IT pros have a plethora of different computers and devices that they have to take care of, and many would like to see the upcoming updates for all of them, all in one place, without having to jump through hoops to “customize their experience” with the myBulletins service that Microsoft says to use instead.
This policy change didn’t go unnoticed by the IT pro community, many members of which already feel as if Microsoft has been steadily losing interest in them over the last few years. Within a couple of hours after the blog post hit the web, I was getting email from my readers and colleagues about it – and none of them seemed to be happy about the decision.
The most common response that I heard is one I can’t print here, but it translates – in “polite company” form – to “What are they thinking?” Many tech journalists are interpreting this move as a way to create a new revenue stream. InfoWorld’s headline came right out and said it: Microsoft to Charge Windows Users for Advanced Security Notifications.Forbes put it this way: Microsoft Blasted for Locking Out Poorer Businesses from Advance Security Warnings.
Core Security product manager Tim Byrne said, “My take on this is that privatizing ANS to Premier and paid support protection programs only reiterates that MSFT wants all of the pie and will force organizations to pay. This of course will open even more sneaky back doors for the bad guys!”
When I first heard the news, I wondered if money was the motivation, too. However, after reading Mary Jo Foley’s somewhat more balanced report, it seems to me that those accusations are a little overblown. Apparently her first question was the same as mine: Would those Premiere customers be allowed to share the information? If not, it would certainly come off as a money grab.
But Mary Jo quotes an unnamed Microsoft spokesperson as saying that those who receive the advanced notification service information won’t have to sign an NDA. Thus it appears that anyone who does get it is free to publish it.
Some see restricting the distribution of the information not as a way to make people pay for it (is any business really going to run and buy Premiere status just so they’ll keep receiving advance notice of patches that will be released a few days later?) but as a way to obscure the updating process.
Another Core Security employee, software engineer Jon Rudolph, said in part, “I’m glad to see that they are willing to talk about the trends they observe in the existing system, but by making this switch, Microsoft is not just cutting through the clutter, they are hiding their security report card from the general public.”
Given recent circumstances, with Google researchers publishing details of vulnerabilities in Microsoft products when they weren’t patched in a Google-defined reasonable amount of time, it’s fair to wonder if the company might want to confuse the issue of just what’s being patched and what isn’t. However, taking away advance notifications wouldn’t do a very good job of that, since all of the updates themselves will still be released on Patch Tuesday and those who want to criticize need only wait for that day. (Of course, I’m assuming here that the security bulletins themselves will still be published normally since only advanced notifications are mentioned in Microsoft’s blog post. If that changes, too, I think we’ll have far more unhappy campers in the IT community than we have now).
Microsoft’s official statements have stressed that their reasoning is solely based on the fact that “… the vast majority of customers don’t use the ANS.” This might strictly be true, given that the advance notification is (was) written in the dry, jargonized language of TechNet. Maybe it’s only bloggers such as myself who actually read the thing, and then attempt to translate it into something more palatable for the average IT pro and general public. Given the “no NDA” statement, I’m hoping in the future to be able to find a source for the info and continue doing that.
One thing that’s clear from all the hullabaloo in the press today is that as in some other prominent cases, Microsoft didn’t handle the presentation of this change very well. I’m reminded of the introduction of Windows 8, a very good operating system that was at first shunned by so many users because it wasn’t (in my opinion) well represented to the public. In fact, general support for Windows 8/8.1 has continued to be lukewarm, with the first real enthusiasm coming back in response to the Windows 10 preview that restores the Start menu to its rightful place on the desktop.
And that brings up yet another thought: Microsoft spokespersons said the same thing about the Start menu that they’re now saying about ANS, that most customers didn’t use it and wouldn’t miss it. They thought the initial dissatisfaction would die down and everyone would accept the “new world order.” They obviously miscalculated that time, and in the wake of continuing complaints about its absence, they capitulated and brought the beloved Start menu back. Could the same thing happen if the uproar over the Advance Notification Service gets loud enough? Or are they right that nobody – other than a few tech journalists – really cares?