On the second Tuesday of every month, Microsoft releases updates and security patches for its software.
The contents of Update Tuesday – also known as Patch Tuesday – have hitherto been heralded by a blog post the preceding weekend, which detailed the forthcoming updates so that administrators could prepare for any changes.
No more. The Advanced Notification Service (ANS) has been pulled – ironically without advanced notification.
From now on, the ANS will only be available to customers who subscribe – for a fee – to security programmes such as the Microsoft Active Protections Program. Non-paying customers will have to wait and see what updates appear on Update/Patch Tuesday.
According to a blog post from Chris Betz, the senior director of Microsoft Security Response Center, “customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimised testing and deployment methodologies. While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically.”
Many security professionals have criticised the move, saying that Microsoft is making patch management significantly harder for IT teams by decreasing the time available for necessary updates to be identified and applied. It’s too early to determine the full business repercussions, but it would seem that a lot of IT admins are going to find maintenance even tougher from now on.
Google seems to think so, too.
Its Project Zero initiative “seeks to find bugs in popular software and then gives the manufacturers responsible 90 days to fix the problem.” When it recently discovered a Windows flaw, it therefore followed its usual 90-day timeframe and, despite being asked to hold off till Tuesday 13 January, publicised the vulnerability on Sunday 11 January, two days before the Patch Tuesday that would see the release of a bug fix, and, apparently coincidentally, on the day which would ordinarily have seen the patch mentioned in Microsoft’s ANS.
Microsoft criticised Google for publicising the vulnerability before it had managed to issue a patch to fix it. Chris Betz blogged on Sunday: “Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
According to The Inquirer, Microsoft last tried to stop the ANS in July 2014 – again without advanced notification – but was “forced to backpedal” before announcing a few days later that the ANS would resume.
Keeping your software and systems up to date is an essential part of good information security management, as stipulated by the international standard for information security, ISO 27001. For more information on ISO 27001, please click here >>