Microsoft today pulled the plug on its Advanced Notification Service (ANS), offering it going forward only to paying Premier customers.
ANS preceded the release of Microsoft’s monthly Patch Tuesday security bulletins; on the Thursday prior, Microsoft would provide users via its security website a high-level preview of how many bulletins could be expected on the ensuing Tuesday, and more importantly, the severity of the vulnerabilities scheduled to be patched. The advanced notification helped companies allocate resources in advance to patch prioritization and testing.
Microsoft, however, said today that the decade-old ANS has outlived its usefulness.
“ANS has always been optimized for large organizations. However, customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimized testing and deployment methodologies,” said Chris Betz of the Microsoft Security Resource Center. “While some customers still rely on ANS, the vast majority waits for Update Tuesday, or take no action, allowing updates to occur automatically.”
Betz said Microsoft customers instead rely on Microsoft Update and Windows Server Update Service to assist with patch prioritization.
“Customers are also moving to cloud-based systems which provide continuous updating,” Betz said.
That rationalization isn’t sitting well with some experts, who said the move is against the grain established by the Trustworthy Computing initiative, which not only revamped how Microsoft builds security in to its development lifecycle, but also gave birth to Patch Tuesday.
“This is an assault on IT and IT security teams everywhere. Making this change without any lead up time is simply oblivious to the impact this will have in the real world,” said Ross Barrett, senior manager of security engineering at Rapid7. “Microsoft is basically going back to a message of ‘just blindly trust’ that we will patch everything for you. Honestly, it’s shocking.”
Microsoft said it will provide ANS to its Premier customers through their Technical Account Manager support representatives; participants in Microsoft’s MAPP partner program will also receive ANS notifications. In May, Microsoft made available its new myBulletins service, which allows Windows admins to customize security patch information, filtering it by products in use inside an enterprise or midmarket company. Notifications and advisories were left out of myBulletins, to the chagrin of some.
> Microsoft Advanced Notification Service available only to Premier support customers. > > Tweet
“With the advent of the famous TWC memo and years of work by MSRC to gain a solid working relationship within the security community, to suddenly switch a free and relied upon service to a fee based system will only backfire,” said Andrew Storms, vice president of security services at New Context, a systems architecture firm in San Francisco. “I can only imagine that since the forced retirement of so many MSRC folks in 2014, that Microsoft might be trying to make ends meet.”
Microsoft in September announced it was disbanding its Trustworthy Computing unit, the cornerstone of the Secure Development Lifecycle born out of Bill Gates’ 2002 memo. The decision coincided with the layoff of 2,100 employees and reshuffling of many TWC security people into the company’s cloud and enterprise division, as well as Microsoft’s legal group.
Microsoft was not clear on whether all of its advanced notifications will go away, including those for out-of-band patches.
“If that’s the case, then it will surely feel like Microsoft has stepped back in time by a decade or more,” Storms said.