Advanced notice of Microsoft Patch Tuesday fixes is no longer free

From now on if you want to see what patches Microsoft is going to issue on Patch Tuesday you'll have to pay for it.

From now on if you want to see what patches Microsoft is going to issue on Patch Tuesday you'll have to pay for it.

The company's Advanced Notification Service - the Thursday postings that thumbnailed the security bulletins the company would issue on Patch Tuesday will only be available to Premier customers. For the past 10 years the service has been free to anyone who wanted to subscribe.

"Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and web page," according to a post by Chris Betz, the senior director, of Microsoft's Security Response Center.

Most customers, particularly the largest, don't use the service much anymore, he writes, and most customers just wait until the actual bulletins are released on Patch Tuesday, which Microsoft now calls Update Tuesday.

Those who do take advantage of the advanced bulletins use them to evaluate the threats that will be addressed, determine whether their Microsoft products are affected, prioritize which patches to install and figure out how best to do so with minimal disruption.

Betz says the change is meant to help customers "cut through the clutter and obtain security information tailored to their organizations."

But it also pushes customers toward using Microsoft's automatic update services for software customers buy or toward relying on Microsoft cloud services that are patched as a matter of routine. "Rather than using ANS to help plan security update deployments, customers are increasingly turning to Microsoft Update and security update management tools such as Windows Server Update Service to help organize and prioritize deployment. Customers are also moving to cloud-based systems, which provide continuous updating," he writes.

Microsoft will keep generating the information contained in the advanced notifications, but holding them for paying customers. "For customers without a Premier support contract, we recommend taking advantage of myBulletins, which enables customers to tailor security bulletin information based on only those applications running in their environment," he says.

But some are critical of the move.

"The vulnerabilities teach us something every month about software, security, mistaken assumptions, and the quality of the product, and (indirectly) threats, whether we currently use that product or not," says Jon Rudolph, principal software engineer at Core Security. "It would appear that the list is still available for a price, and by encouraging users toward the new myBulletins, Microsoft takes some control away from the users."

Ross Barrett, senior manager of security engineering at Rapid7, who routinely examines and comments on and blogs about the notifications, is more harsh. "This is an assault on IT and IT security teams everywhere," he says. "Making this change without any lead up time is simply oblivious to the impact this will have in the real world. Microsoft is basically going back to a message of just blindly trust' that we will patch everything for you. Honestly, it's shocking."

Qualys CTO Wolfgang Kandek, who also closely follows the bulletins, was skeptical that demand for the advanced notices is waning. "Hmmh," he writes in an email, "I personally have always thought that our customers were interested in the information contained in ANS, but we will see how that works out."

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecurity

More about AdvancedCustomersMicrosoftQualysRapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place