Security Advisor
Microsoft Kills Public Patch Tuesday Advance Notifications
The company cited that the general lack of interest by organizations led to the change.
Microsoft announced today that it will no longer publicly release advance notification for its monthly security update.
Typically released on the Thursday before the patch, the advance notifications provided a general breakdown of the month's security bulletins, alerting IT to which products will be receiving a fix and what the patching order should be, based off of severity levels of individual items. While the advance notifications will no longer be readily available online, some organizations will still receive the information.
"We are making changes to how we distribute ANS to customers. Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and Web page," wrote Chris Betz, senior director for the Microsoft Security Response Center (MSRC) in a blog post.
Betz went on to explain that the company decided to cut the service due to the small percentage of organizations that use the advance notification, saying that most will wait for the full security update breakdown that arrives with the monthly security update on the second Tuesday of every month.
"More and more customers today are seeking to cut through the clutter and obtain security information tailored to their organizations," wrote Betz. "Rather than using ANS to help plan security update deployments, customers are increasingly turning to Microsoft Update and security update management tools such as Windows Server Update Service to help organize and prioritize deployment. Customers are also moving to cloud-based systems, which provide continuous updating."
Enterprises that are enrolled in Microsoft Services Premier Support will still receive the advance notification on request.
While Microsoft is framing this change as an "evolving" step for its ANS (as evident by the Betz blog title), many IT pros don't see it in those terms. Ross Barrett, security firm Rapid 7's senior manager of security engineering, isn't pleased with the service cut. "This is an assault on IT and IT security teams everywhere," said Barrett, in an e-mailed statement. "Making this change without any lead up time is simply oblivious to the impact this will have in the real world. Microsoft is basically going back to a message of 'just blindly trust' that we will patch everything for you. Honestly, it's shocking."