Pre-Patch Tuesday alerts no longer publicly available
Microsoft’s Advanced Notification Service (ANS), which for over a decade provided advanced warning about the patches and updates that the company would push out on its monthly Patch Tuesday, will no longer be available through blog posts and on the web page reserved for the final advisory.
Instead, only Premier customers and organizations involved in the company’s security programs will receive the traditional heads-up.
Chris Betz, Senior Director of the at the Microsoft Security Response Center (MSRC), says that the change is due to the fact that many of the company’s large customers no longer use ANS in the same way they did in the past.
“While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically,” he explained. “More and more customers today are seeking to cut through the clutter and obtain security information tailored to their organizations. Rather than using ANS to help plan security update deployments, customers are increasingly turning to Microsoft Update and security update management tools such as Windows Server Update Service to help organize and prioritize deployment. Customers are also moving to cloud-based systems, which provide continuous updating.”
Notifications for upcoming emergency, “out-of-band” updates will also be no longer made available to the general public.
“This is an assault on IT and IT security teams everywhere. Making this change without any lead up time is simply oblivious to the impact this will have in the real world,” commented Ross Barrett, senior manager of security engineering at Rapid7. “Microsoft is basically going back to a message of ‘just blindly trust’ that we will patch everything for you. Honestly, it’s shocking.”
Microsoft has offered an alternative way for administrators who aren’t Microsoft customers to see which patches and updates they need to apply: a customizable, web service and dashboard called myBulletins.
To register, you need to have a Microsoft Account. Unfortunately, myBulletins does not send notifications – you must log in to the service to see the security bulletins.