Removal of security bulletin service from public view faces backlash.
Microsoft’s decision to limit its pre-release Patch Tuesday bulletins to premium members has been branded “an assault on IT and IT security teams” by cybersecurity vendor Rapid7.
Customers of Microsoft have, for more than a decade, received notice of the incoming security updates to the firm’s products, but yesterday the firm announced it will no longer display these updates publically.
Ross Barrett, senior manager of security engineering at Rapid7, said: “This is an assault on IT and IT security teams everywhere. Making this change without any lead up time is simply oblivious to the impact this will have in the real world.”
“Microsoft is basically going back to a message of ‘just blindly trust’ that we will patch everything for you. Honestly, it’s shocking.”
Chris Betz, head of Microsoft Security Response Center, defended the decision on the grounds that “the vast majority” of customers just wait for information on the release day or allow systems to patch automatically.
“More and more customers today are seeking to cut through the clutter and obtain security information tailored to their organizations,” he said.
“Rather than using [our Advanced Notification Service] to help plan security update deployments, customers are increasingly turning to Microsoft Update and security update management tools such as Windows Server Update Service to help organise and prioritise deployment.”
Premier customers can still receive the pre-release bulletin through Microsoft’s technical support, as can those who are part of the firm’s Active Protections Program.
Source: Company Press Release