End of Advance Security Notices a Symbol of a Less Potent Microsoft

This Tuesday, the IT world will be flying blind when it concerns the security patches coming out of Microsoft.

For more than a decade, Microsoft used a special process called the Advance Notification Service (ANS) to provide a Thursday preview of the number and severity of software fixes coming in the following week's Patch Tuesday, which Microsoft calls Update Tuesday.

Last week, however, Microsoft unexpectedly killed ANS in a blog post on the day people usually looked for the notices.

It's hard to say what motivated Microsoft to end ANS. The stated reason came in the blog by Chris Betz, a senior director of the Microsoft Security Response Center:

ANS has always been optimized for large organizations. However, customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimized testing and deployment methodologies. While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically. More and more customers today are seeking to cut through the clutter and obtain security information tailored to their organizations. Rather than using ANS to help plan security update deployments, customers are increasingly turning to Microsoft Update and security update management tools such as Windows Server Update Service to help organize and prioritize deployment. Customers are also moving to cloud-based systems, which provide continuous updating.

Fair enough, as far as it goes. Elsewhere in the blog post, however, Betz provides a few clues that Microsoft may be trying to monetize the previously free service. ANS will continue to be available to Premier customers through their Technical Account Managers and to customers in other specialized security arrangements, such as those using the Microsoft Active Protections Program. Nonetheless, the monetization motive is tenuous -- ANS would just be a value-add to a larger service, rather than a direct revenue opportunity.

Reaction to the announcement was swift within the security community. Ross Barrett, security firm Rapid 7's senior manager of security engineering, was displeased with the service cut.

"This is an assault on IT and IT security teams everywhere," Barrett said in an e-mailed statement reported by my colleague Chris Paoli on Redmondmag.com. "Making this change without any lead-up time is simply oblivious to the impact this will have in the real world. Microsoft is basically going back to a message of 'just blindly trust' that we will patch everything for you. Honestly, it's shocking."

Qualys CTO Wolfgang Kandek was less blistering in a blog post of his own, but left open the possibility that the move was a mistake.

"Microsoft will stop providing the ANS information to the general public and parties interested will have to ask for...it through their account manager. Hmmh, I personally have always thought that our customers were interested in the information contained in ANS, but we will see how that works out," Kandek wrote.

Criticizing Microsoft's failure to prepare the market for the end of the public notices is completely valid, and there's always the chance of a backlash that will cause Microsoft to change its mind.

But there are completely valid reasons for Microsoft to scale back on its exceptional process for publicizing and explaining updates -- not that I believe Microsoft would admit them or want to talk about them.

Microsoft's two-step, monthly process of Thursday warnings followed by the release on Tuesday of a collection of patches was unusually rigorous and open. It was created at a time when Microsoft owned more than 90 percent of the market for end user computing devices and when vulnerabilities in Microsoft software were the most serious security problem facing many organizations.

In other words, it's a relic from Microsoft's days at the center of the IT universe. Microsoft's exceptional power at the time carried with it an exceptional responsibility for communicating, over-communicating even, on security issues.

That time is behind us, for two reasons -- one a well-documented negative for Microsoft, the other a less frequently acknowledged positive.

The negative, from Microsoft's standpoint, would be that its 90 percent share has almost inverted. Having missed the rise of smartphones and tablets, Microsoft is left with a 14 percent share of the device market, according to Gartner. Put another way, your responsibility to follow exceptional procedures in communicating your software patches is substantially less when you have 14 percent share than when you enjoy 90 percent share. Granted, Microsoft retains substantial server share, and has a huge install base of desktop and laptop PCs. Nonetheless, having a patching process that offers parity with other major industry players rather than going above and beyond the competition's seems fair under those circumstances.

The positive for Microsoft is that their applications are no longer at the top of the list when it comes to vulnerabilities. Years of security efforts on Redmond's part, coupled with a slide in influence and usage, mean that more vulnerabilities are being disclosed in other programs than in Microsoft programs. In the Secunia Vulnerability Review for 2014 (covering 2013, which was not a particularly good year for Microsoft), only one Microsoft application was among the top eight applications with the most vulnerabilities. The programs with the most vulnerabilities were Mozilla Firefox (270), Google Chrome (245), Oracle Java JRE (181), Microsoft Internet Explorer (126), Adobe Reader (67), Apple iTunes (66), Adobe Flash Player (56), Adobe Air (51).*

In the new digital reality, it's time to worry less about Microsoft's transparency and vigilance and time to worry more about everyone else's.

* Note: For the record, No. 9 and No. 10 in the Secunia list were Microsoft products -- the .NET Framework (18) and Word (17). That means Microsoft had three of the top 10 vulnerabilities, but having only one in the top eight illustrates the point better that Microsoft is nowhere near the worst offender anymore when it comes to security vulnerabilities.

Posted by Scott Bekker on January 12, 2015