Microsoft's patch info 'blockade' pinches security staffs

Security experts remain frustrated about Microsoft's decision last month to halt advance warnings of each month's patch slate, saying the move makes it difficult for IT admins to do their job.

Security experts yesterday were still frustrated about Microsoft's decision last month to halt advance warnings of each month's patch slate, with one calling it a "blockade" and another arguing that it makes it difficult for IT administrators to do their job.

"For the second straight month Microsoft is holding fast to their blockade of information," said Ross Barrett, senior manager of security engineering at Rapid7, in an email. "Microsoft called this an evolution, and I can certainly see why -- they are applying a squeeze to security teams that will eliminate the weak members of the herd."

On Jan. 8, Microsoft abruptly shuttered its Advanced Notification Service (ANS), which had posted alerts five days before the arrival of each month's Patch Tuesday collection of security updates. The warnings listed the number of updates and what products they would affect, and described the severity of the underlying vulnerabilities.

ANS had been part of Microsoft's security process for more than a decade.

Microsoft contended that customers no longer relied on ANS, but instead simply waited for Patch Tuesday, then automatically applied the updates. That's very common among consumers, but much less so for businesses.

Some were to still receive a heads-up, however. Enterprises that paid for premium support would continue to get some kind of warning.

But even those customers have been given short shrift, Barrett argued. "Customers with Premier support are getting a very sparse advance notification 24 hours before the [Patch Tuesday] advisories drop," he said.

Like the previous ANS, the advance notice sent to eligible customers -- a copy was seen by Computerworld -- listed the number of updates and what products they would affect, and described the severity of the underlying vulnerabilities. But as Barrett said, the notice, which was in table format, lacked the level of detail found in the pre-January alerts. The latter called out individual editions in a product line -- they might have rated, for instance, some Windows editions as "critical" but others, often servers, as merely "important" -- and provided additional context for the upcoming patches.

In November, for example, Microsoft told customers that bugs in the server side of Windows were not present in the client editions, but that the latter would be updated nonetheless to provide "additional defense-in-depth hardening" as protection against similar vulnerabilities that could pop up in the future.

The lack of ANS makes it tough on company IT and security staffs.

"Now in month two of no advance notification from Microsoft ... it is quite challenging to determine exactly what Microsoft recommends for deployment and how best to get that done," said Russ Ernst of Lumension.

Last month, Microsoft advised customers who would no longer receive advance notices to keep an eye on a dashboard, called "myBulletins," that the company rolled out in May 2014. But myBulletins doesn't preview the upcoming updates, posting items to users' pre-defined lists only after the bulletins have gone public on Patch Tuesday.

"myBulletins continues to be useless because it is not updated until well after the Patch Tuesday release," said Barrett.

Microsoft released nine security bulletins Tuesday to patch 56 vulnerabilities.

Join the CSO newsletter!

Error: Please check your email address.

Tags Malware & VulnerabilitiesantispamRapid7Microsoftsecurity

More about AdvancedCustomersLumensionMicrosoftRapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place