For the last few years I’ve been praising Microsoft for taking great strides to improve security. This morning, I’m tempted to take it all back.
For the last decade, Microsoft has issued advance notifications the Thursday before each security patch release. It’s been a valuable service, helping IT security practitioners to be better prepared.
Yesterday, the software giant announced it was ending the service, claiming that not enough people are using it.
It’s a bad move that comes on the heels of other bad moves, which includes slashing a lot of good security talent in recent months.
Computerworld scribe Gregg Keizer broke the story yesterday. Chris Betz, senior director at the Microsoft Security Response Center (MSRC), told Keizer: “Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and Web page.”
The change also applies to the occasional alerts that Microsoft issued when it gave customers a heads-up about an impending emergency patch. ANS will no longer provide public alerts for those “out-of-band” updates.
Betz makes this ridiculous claim in the article:
“Customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimized testing and deployment methodologies. While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically.”
Oh, and in case y’all were wondering, “Update Tuesday” is what Microsoft now prefers to call the first Tuesday of the month, because it’s apparently less inflammatory than “Patch Tuesday.”
In recent years Microsoft has increased communication on its security activities and customers have benefitted greatly from it. The more information practitioners have, the better equipped they are to make the best security decisions for their organizations.
Yesterday’s news is a stunning reversal.
Don’t be surprised if attackers refocus on Microsoft going forward, bolstered by the belief that Microsoft no longer cares about security.
I’m not saying they don’t. But in this case, they certainly made a lousy decision.