Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43441
  • Total Topics: 16533
  • Online today: 3143
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 1
Guests: 3141
Total: 3142









Author Topic: Why Microsoft pre-alerts only paid subscribers about upcoming patches ?!  (Read 3839 times)

0 Members and 2 Guests are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


Microsoft is facing fierce criticism over its decision to make pre-notification of upcoming patches available only to paid subscribers.

The Advance Notification Service (ANS) formerly made information on upcoming software patches available to the public but from now on the information will be restricted to “premier” customers and some other select partners.

Chris Betz, senior director of the Microsoft Security Response Center, explained in a blog post that Microsoft was restricting distribution of the patching pre-alert out of a desire to reduce "clutter": http://blogs.technet.com/b/msrc/archive/2015/01/07/evolving-advance-notification-service-ans-in-2015.aspx
Betz argued that the security heads-up notice was no longer of much utility to the majority of its customers.

"We are making changes to how we distribute ANS to customers. Moving forward, we will provide ANS information directly to Premier customers and current organisations involved in our security programs, and will no longer make this information broadly available through a blog post and web page.
ANS has always been optimized for large organizations. However, customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimised testing and deployment methodologies. While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically.

More and more customers today are seeking to cut through the clutter and obtain security information tailored to their organizations. Rather than using ANS to help plan security update deployments, customers are increasingly turning to Microsoft Update and security update management tools such as Windows Server Update Service to help organize and prioritize deployment. Customers are also moving to cloud-based systems, which provide continuous updating."


Jon Rudolph, principal software engineer at Core Security, argued that rather than "just cutting through the clutter", Microsoft is "hiding their security report card from the general public".

"The vulnerabilities teach us something every month about software, security, mistaken assumptions, and the quality of the product, and (indirectly) threats, whether we currently use that product or not," said Rudolph. "It would appear the list is still available for a price, and by encouraging users toward the new myBulletins, Microsoft takes some control away from the users on this transition."

Ross Barrett, senior manager of security engineering at Rapid7, the developers of the Metasploit penetration testing tool, is even more critical.

“This is an assault on IT and IT security teams everywhere," Barrett commented. "Making this change without any lead-up time is simply oblivious to the impact this will have in the real world. Microsoft is basically going back to a message of 'just blindly trust' that we will patch everything for you. Honestly, it's shocking.”

In the absence of a published pre-alert, we don't know what patches or how many will appear on the first Patch Tuesday of 2015, which is due to drop on 13 January. Whether or not there will be a patch to address a local privilege escalation vulnerability in Windows 8.1 discovered by Google and published in late December is one key point of interest for next week, as noted in a blog post by Wolfgang Kandek, CTO of Qualys, here: https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/08/patch-tuesday-january-2015-preview

(ElReg)

Samker's Computer Forum - SCforum.info


devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info
I can understand Microsoft's reasoning though... These alerts are only of value for security experts: and even then: nothing one can do until patch is actually released?

Just my 2 cents :)

Devvie
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
IMO, this is a really insolently... :thumbsdown: but what else to expect from M. >:(

A41202813GMAIL

  • SCF VIP Member
  • *****
  • Posts: 581
  • KARMA: 43
  • Gender: Male
  • XPOCALYPSE FOREVER !
M$.
« Reply #3 on: 12. January 2015., 09:51:20 »
M$ Started To Go Down In My Esteem After The IE9 Sabotage - And After APRIL 2014, For Normal Users, Even IE7 And IE8, Now.

I Will Continue To Use Their Software, Until Some Employer Of Mine Gives Me A Taste Of Some Other Good Enough Guinea Pig.

Cheers.

Samker's Computer Forum - SCforum.info

M$.
« Reply #3 on: 12. January 2015., 09:51:20 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023