On the second (US) Tuesday of each month, Microsoft issues its Patch Tuesday updates. In the past, it has provided advance notification of which products will be affected — but now that’s only going to be available to Premium customers.
Tuesday picture from Shutterstock
Microsoft announced the changed approach in a blog post. Its argument is that most people don’t pay attention anyway. “While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically,” the post noted.
There’s an undeniable logic to not providing full details of patches until after they have become available — that reduces the possibility of vulnerabilities being exploited before a fix is available. And the information will still be available once the patches are released (so that’s when we’ll be writing about them). However, given how often people screw up the basics in security, I’m not entirely comfortable with producing less public information about what’s happening. What do you think?
Comments
4 responses to “Why Microsoft Isn’t Issuing Advance Patch Tuesday Bulletins Any More”
I’ve always liked the advance notifications. We run a 24 hour operation and they allow us to plan ahead based on the criticality of the vulnerabilities the updates are patching. Microsoft define something as “critical” when it’s remotely exploitable by an attacker without requirement for user intervention. We need those rolled out sooner rather than later, and by knowing in advance which products are affected, we can identify which business units will be most impacted by reboots.
As a premium partner or above, you’ll still get the early access via email.
Uh, thanks…?
And the other argument: Microsoft has recently had to recall more than one patch because it caused issues for a fair chunk of their user base. This way they get more testing time before they’re locked into releasing the patch.