Microsoft began issuing Patch Tuesday updates over ten years ago. Before that, patches were pushed out without any kind of schedule, causing IT pros to scramble to keep up, or ignore critical patches altogether, and so the “Patch Tuesday” idea was born to make patching systems easier and more manageable. In a blog post yesterday, however, Microsoft announced that it will no longer offer ANS (that’s Advanced Notification Service) for upcoming Patch Tuesday, or as Microsoft is calling it now, Update Tuesday.
In the post on the Microsoft Security Response Center blog, Senior Director Chris Betz writes “(m)oving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and web page”. Instead, Microsoft will provide the service only to Premier customers, as “the vast majority wait for Update Tuesday”.
This has angered some IT pros, according to ComputerWorld, who wrote on the changes yesterday:
“They’ve gone from free to fee, and for really no particular reason,” said Andrew Storms, vice president of security services at New Context, a San Francisco-based security consultancy, in an interview. “It doesn’t make sense.”
And Ross Barrett, senior manager of security engineering, at Rapid7, let loose with both barrels. “This is an assault on IT and IT security teams everywhere,” Barrett said in an email reply to questions. “Making this change without any lead time is simply oblivious to the impact this will have in the real world. Honestly, it’s shocking.”
Microsoft’s explanation for killing the advanced warning is that due to optimized testing, etc., large customers no longer use the ANS the way they did in the past. This doesn’t make much sense to Andrew Storms (quoted above), who says “I don’t get it. It’s the wrong economic model. They say no one was using it, so now they’re going to charge for it?”
And in fact it isn’t Microsoft’s large customers, who are already probably Premier customers, who will be affected most by the change, it’s the small IT shops who will now have to wait for “Update Tuesday” and quickly decide what kind of impact the updates are going to cause their organizations, without any warning.
While Microsoft is dropping ANS, and taking some control away from non-Premier customers, effectively “hiding their security report card from the general public”, as another IT pro told ComputerWorld, Microsoft is promising that there will be advanced warning when it is needed, telling ComputerWorld that “If we determine broad communication is needed for a specific situation, we’ll take the appropriate actions to reach customers.”
Microsoft is still committed to “Update Tuesdays”, only now small IT shops are going to have to work harder to stay on top of securing Microsoft products, which seems a shame.