For the last decade, every Microsoft Patch Tuesday was preceded by a Microsoft Advance Notification Service (ANS) update. In an unexpected move, Microsoft announced on Jan. 8 that it is ending the free general public availability of ANS, which will only be available to Microsoft premier customers and members of its security programs.
ANS provided a brief preview of the patches set to debut on Patch Tuesday. The public release, however, never provided full details of the specific flaw but, rather, was a general overview of patched items to help provide some initial guidance.
In many cases, whenever Microsoft is set to make a change to any of its software or security products or policies, the change is announced in advance. Ironically, there was no advance notification for the end of the Advance Notification Service.
“We believe announcing a few days prior to an Update Tuesday cycle calls attention to this change more effectively than repeating it for a few months,” a Microsoft spokesperson told eWEEK via email. “The vast majority of customers don’t use ANS to prepare for security updates; and for those that do, it isn’t coming to an end.”
Back in 2008, the Microsoft Active Protections Program (MAPP) debuted, providing the company’s partners with a program that gives details of vulnerabilities before the official patches are released. Though public availability of ANS is now changing, Microsoft’s spokesperson noted that there are no changes to MAPP.
“Premier customers and current organizations that are part of our security programs, such as the Microsoft Active Protections Program, will continue to receive the ANS,” the spokesperson stated.
Qualys, a MAPP partner, is working with Microsoft to get early access to security notifications, according to Wolfgang Kandek, Qualys CTO. He believes the ANS still matters and there is value in that IT administrators can read about specifics, exploits and priorities.
“On one hand, I am certain that many IT admins wait until the bulletins are released and go directly to the technical details and form their own opinions; on the other hand, there are IT admins that appreciate the guidance,” Kandek told eWEEK. “Taking that guidance away is a step backward.”
Marc Maiffret, CTO of BeyondTrust, also a MAPP partner, said the ANS is helpful in that it allows IT to plan better. While larger enterprises might have dedicated teams and partnerships with Microsoft, small and midsize businesses (SMBs) are likely to be impacted by the end of the public ANS. With the ANS changes, those SMBs will now have to wait until the morning of Patch Tuesday to know how their next few nights will be spent.
For Rapid 7, which is not a MAPP partner, the publicly available advanced notification was valuable, said Ross Barrett, senior manager, security engineering at Rapid7. “It broadly informed the public about all affected platforms and products,” Barrett told eWEEK. “The new approach assumes that customers have comprehensive knowledge and understanding of what is in their environments so that they can seek out what patches to prepare for.”
People don’t fully know what is in their environments, and making it harder for them to get relevant security warnings could be harmful, Barrett said.
“On a personal note, as a security professional who works with coverage of Microsoft platforms, this just makes it harder for us to get ready for Patch Tuesday every month,” Barrett said.
“Instead of generally knowing something about all the things that will be patched, though never exactly what, we now have to hunt down a list that we can never know is comprehensive.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.