January 22nd, 2015
Some see bad signs in Microsoft’s changes to its security reporting processes.
Microsoft has made a change in its Patch Tuesday reporting, along with changing the name of the initiative, and some people see it as a sign that things are getting shaky within the company.
For the first time since it initiated Patch Tuesday, Microsoft did not issue a widespread alert on the Thursday prior to the monthly fixes. Normally, Microsoft issues an email alert through its Advanced Notification Service, or ANS, on the content of Patch Tuesday, which takes place on the second Tuesday of every month. The ANS warning said which Microsoft products would be impacted and how severe the bugs were. It cautiously omitted key details to keep from tipping off malicious hackers as to where to look for the bugs.
However, this month Microsoft put the alerts and information to customers who pay for premium support. “Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and Web page,” Chris Betz, senior director at the Microsoft Security Response Center (MSRC) wrote in a blog post.
Betz explained that Microsoft was dropping the public ANS notifications because customers weren’t using them.
“Customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimized testing and deployment methodologies,” he wrote. “While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically.”
As his quote shows, Microsoft now refers to its monthly bug fixes as “Update Tuesday.” Apparently it didn’t like the term “Patch Tuesday,” even if it was accurate.
When I asked for a comment, a Microsoft spokesperson stuck to the statement made by Betz. “We understand why some question this change after more than a decade. The feedback we’ve received indicates that many of our customers no longer use ANS in the same way they did in the past, due to optimized testing and deployment methodologies,” the company said.
To be honest, they have a point. I never read the Thursday notices, either. The fixes always showed up on the second Tuesday right on time, and Microsoft hasn’t changed anything about that except the name.
But with other events, it does show that security in general seems to be undergoing a real shakeup at Microsoft. The company shut down its Trustworthy Computing group last September, and in December it had to withdraw two Patch Tuesday fixes because they caused more harm than good.
Some people are pretty upset with this, as was documented in a story over on Computerworld. The folks I spoke with weren’t as judgmental.
“Indeed this situation is weird, but maybe it is just that they are trying to include a last-minute patch and do not want to say anything until they know for sure if it is going to be included,” Luis Corrons, technical director of PandaLabs, says.
Chris Goettl, product manager with Shavlik, says, “I do not like the move to be sure. It will cut a lot of lead time for companies who care about what is coming and want to plan well for it…I have long been a proponent for the standard of disclosure that Microsoft had set. I have openly criticized vendors who do not disclose enough information to stress the importance of what they are updating. Others, like Adobe and Oracle, had started adopting many of the same practices of predictable release schedules, some advanced warnings or notifications, etc. Will this change send a message back to other late adopters of this mentality?”
Adam Kujawa, head of malware intelligence for Malwarebytes Labs, saw both sides of the issue. Google has been publicly disclosing vulnerabilities, including those in Windows, which Microsoft has slammed.
“The vulnerability disclosure and vulnerability patching processes are very broken at this point…The arguments from Microsoft’s side and from Google’s side are both valid. Google wants Microsoft to fix the bug so bad guys can’t use it. Microsoft wants to fix the bug too but also wants to make sure that it’s done in a fashion that protects their users. Either way, the threat approach doesn’t do much but force software developers to release quick fixes that could potentially harm systems in the future, and when the demands of the identifier are not met, releasing the knowledge to the public means that the bad guys will be employing it that much sooner,” he said.