It appears Microsoft is starting out 2015 on the wrong foot.
On Thursday January 8, 2015 it announced that it would no longer publish information publicly in advance of Update Tuesday. (Is patch a bad word?)
When I saw the news yesterday from Microsoft’s Chris Betz I was immediately disappointed. When Chris chose the word “Evolving” in the title of his post he seems to be selling us on being less informed.
Microsoft will still be sharing patch information in advance with its MAPP (Microsoft Active Protections Program) partners, like Sophos, and with Microsoft Premium customers.
Advanced notification of patches is a very handy thing. Certainly if you are SophosLabs you are able to analyze how you might provide protection against exploits that may surface before customers can deploy fixes.
If you are an IT administrator it gives you a heads up about which systems may need to be rebooted, allowing for advanced scheduling of downtime and even an opportunity to create virtual machines so you are ready to begin testing as soon as the patches are released.
Naked Security readers certainly seemed to find the information helpful. More than 50,000 of you read our articles on upcoming Microsoft patches in 2014.
Microsoft first started taking security seriously after a famous memo in 2002 from then CEO Bill Gates that launched what was known as the Trustworthy Computing group that accomplished the biggest turnaround with regard to security I have ever seen.
This one memo kicked off what became known as Patch Tuesday and the Microsoft Secure Development Lifecycle (SDL).
In a white paper by Craig Mundie, Microsoft stated one of the key goals to improving security was customer guidance and engagement.
Has Microsoft lost its way? Is this the beginning of the end of Microsoft setting the standard which inspires others to follow?
Microsoft shuttered the Trustworthy Computing group in September 2014, seemingly going back to the old “just trust us, we know right” approach that got them into such hot water around the turn of the millennium.
Unfortunately we will not be able to continue to tell you what to expect on the second Tuesday of the month, but we will certainly provide you with our insights on Update Tuesday itself.
I hope Microsoft reconsiders, but if it doesn’t, let’s hope this is the only backwards step it makes.
Transparency is one of the single most important principles needed to achieve greater integrity, security and trust.
Yes, trust. As in “Trustworthy Computing”. Bill? Craig? Are you listening?