Late last year, Google Security Research publicly exposed a severe vulnerability in Windows 8.1 that would allow an attacker to take over a computer or device running the Microsoft OS version. Many, both industry specialists and Microsoft customers, took offense and slammed Google in the comments on the disclosure page, suggesting that the Search company's action was irresponsible. If you missed this little tidbit, I told the story here: Batten Down the Hatches: Google Engineer Publicly Discloses Severe Windows 8.1 Security Flaw.
In short, Google communicated the found flaw to Microsoft on September 30, and according to policy publicly disclosed the defect 90 days after. Microsoft had 90 days to fix the glaring issue, but unfortunately the software company had its own patching problems to counter. As we've all read, seen, and felt, Microsoft's patching program is broken, causing customers severe pains each month with wrecked software and systems that would blue screen and stopped booting. The company spent much of its time fixing patches and was probably caught up and distracted from the flaw reported by Google.
Except for an apology here and there directly from the patching teams, Microsoft has been suspiciously silent on its failed patching processes. Microsoft was once the pioneer in security patching, setting the rules and policies that many other industry companies followed. Today, customers are afraid to patch, causing many to completely change their internal updating policies, delaying deployment for even critical, zero-day flaws.
So, what did Microsoft do in response? Two things. And, while these things are probably unrelated in Microsoft's thinking, they are like milk and cookies in the minds of customers.
First off, against all logic and now against a growing wave of complaints, Microsoft ended its Advance Notification Service for security updates. This came as quite a shock to many customers, and I have to say, when the news came down while I was stuck in a meeting, I was pretty shocked myself.
Microsoft has a PR problem with customers already because it sent many resources that IT professionals relied on to their grave in the last couple years. The company ended a very popular conference, the Microsoft Management Summit, in 2013. Then it dumped TechNet Subscriptions in 2014. And, just recently it culled other very popular community events like MEC and TechEd. To its credit, for every program it has killed, it has promised a replacement, though each replacement has been a shell of the original. The company will roll out its next promised replacement in May of this year as it seeks to merge all of its previous conferences into a single event. Named MS Ignite, customers and TechEd alumni are already referring to it as MS Ignore.
To announce the death of the Advance Notification Service, Microsoft's Chris Betz, used words like "evolve" and "optimize," so you know immediately that Microsoft marketing was involved. In the blog post announcement, Betz gave a bit more insight into the why's and wherefore's for the change. He explained that the Advance Notification Service is still available, but only for paid customers – not for the general IT professional. Betz says that ending the Advance Notification Service is a result of customer feedback and that its largest customers weren't using it.
Customer feedback. Hmmm. This phrase was also used by Julia White when she suggested during a live PR event in Chicago that customers had actually requested that Microsoft merge all its community conferences into a single entity – but, that wasn't (and still isn't) true at all. And, based on the mounting complaints from customers over the Advance Notification Service ending, I'd say that it's not true in this case, either. Microsoft is promoting the My Security Bulletins Dashboard as the replacement, but as many have already stated, this is another shell of a solution.
Over the weekend, Microsoft finally made some noise about Google's vulnerability disclosure. Once again, Chris Betz took to the Microsoft Security Response Center blog to relay Microsoft's stance on the situation and called Google to the floor for being irresponsible. Betz says that Google's disclosure came just two days before the company planned to fix the vulnerability. Of course, we've yet to actually see that patch, so I'm not sure the timeline here is accurate considering the public disclosure actually happened last month. I've seen some reports suggest that Google's policy gave Microsoft only a couple days. But, that's really not the case here. Microsoft had a full 90 days to prepare a patch, plus the first two weeks into the new year.
But, in this case, I agree with Microsoft. Google should've been a bit more considerate and waited. But, even more irony lies elsewhere in Betz statement. In the blog post, he points to Microsoft's own Coordinated Vulnerability Disclosure (CVD) as a means of promoting good security policy. The CVD clearly states:
When the MSRC receives a vulnerability report, we develop an update as quickly as possible and broadly disseminate information about the vulnerability, the risk it poses, and what customers can do to help protect themselves against it.
The bolded text sure sounds a lot like an Advance Security Notification service to me. You?
The Advance Notification Service was used by a LOT of patching people, just not, as Microsoft puts it, "large organizations," meaning if you are a small or medium-sized business, your feedback just didn't make the equation. And, if this raises some ire, hold on, it gets worse. In Betz's original post, he also suggested that more companies are using automatic deployment methods for patches and even others are relying on the Cloud where patching is no longer a problem because it's all handled by Microsoft. Who are these customers exactly and can you count them on one hand?
It's obvious that Microsoft needs to fix its patching processes and the QA for its updates. Microsoft has flip-flopped on decisions before but it only came after the decibel of complaint had risen to public proportions. If you used the Advance Notification Service and believe that Microsoft ended a very valuable service, make sure the company hears your voice. Microsoft apparently wasn't listening before, or just didn't include the right people when acting on "customer feedback."