back to article Microsoft patch batch pre-alerts now for paying customers ONLY

Microsoft is facing fierce criticism over its decision to make pre-notification of upcoming patches available only to paid subscribers. The Advance Notification Service (ANS) formerly made information on upcoming software patches available to the public but from now on the information will be restricted to “premier” customers …

  1. JeffyPoooh
    Pint

    Well, thank goodness nobody would be able to cut-and-paste it to PasteBin

    Cue the standing-up of hundreds of 'mirrors'.

  2. The Man Who Fell To Earth Silver badge
    FAIL

    Typical slick MBA stunt.

    No doubt "Premier" customers are covered by an NDA, so they can't forewarn the public of Microsoft's disastrous security the upcoming patches are trying to band-aid.

    1. Destroy All Monsters Silver badge
      Trollface

      Re: Typical slick MBA stunt.

      Next you will tell me MBAs are for cargo cultists so challenged that they need the voodoo spelled out for them?

    2. Anonymous Coward
      Anonymous Coward

      Re: Typical slick MBA stunt.

      "Microsoft's disastrous security"

      erm - you perhaps don't know, but Windows actually has a better security record (fewer vulnerabilities that are on average patched faster - with fewer days at risk) than OS-X, SUSE and Redhat every year for the last decade!

      1. ClanArmstrong

        Re: Typical slick MBA stunt.

        I agree 100%. Statistics can be massaged and massaged until you get an answer that makes you look good. Similar to putting on makeup or a politician in the "Good Old Boy" seat. Take this "Cloud" and shove it.

  3. Roo
    Windows

    They haven't really thought this through have they ?

    The third-party vulnerability reports will still be there for the public to peruse, but they won't be able to see if Microsoft has bothered to fix them now... I can't see how making Windows look like an abandoned legacy OS is going to help market share.

    1. big_D Silver badge

      Re: They haven't really thought this through have they ?

      You will be able to see if they have been fixed. It is just the advanced notification, which is a week before they are released. On the day of release you should be able to see what you are getting.

      1. Anonymous Coward
        Anonymous Coward

        Re: They haven't really thought this through have they ?

        Well, why not provide that information to everyone else?

        Do you have a valid reason why that information should only be available to those who pay extra for it? We've already over paid an excruciating amount on licences.

      2. Anonymous Coward
        Anonymous Coward

        Re: They haven't really thought this through have they ?

        It is just the advanced notification, which is a week before they are released

        In other words, those who pay extra get it when it's ready, then they sit on it for a week (so the premium customers get value), then let us peasants have a look-in.

        1. big_D Silver badge

          Re: They haven't really thought this through have they ?

          Pretty much, it is a "freemium" model... I thought that was all the range on these here Internets. ;-)

  4. Anonymous Coward
    Anonymous Coward

    Security through obscurity

    Will they ever learn, bunch of [insert preferred slight here].

  5. Anonymous Coward
    WTF?

    Bloody nonsense

    Every MS windows user is a 'paying Customer' - and come to think of it, even non-MS users still pay for the bloody crap when they buy a new machine to put GNU/Linux on it.

    Bootnote: When I bought my Samsung notebook N145 plus, I sent a letter to Samsung asking if I could get a refund as I don't use windows. Surprisingly I received a letter back asking me if I said 'no' at the first boot prompt. I replied stating that I never even got that far/saw it, as I booted straight into bios, configured USB as first boot device, then booted straight into a Slackare iso.

    I got another letter saying that if I send then back the windows genuine (or whatever it's called) sticker from under the notebook, they would oblige. BUGGER - I had already done that, and destroyed it in the process :(

    1. Anonymous Coward
      Anonymous Coward

      Re: Bloody nonsense

      They pay for the software, not the support.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bloody nonsense

        Not really, this is security issues at stake here. If I bought a car and it was found out that there was a design fault with the steering, no way could a manufacturer say 'only customers paying support' will be told and get this fixed first - ALL cars need to be patched straight away.

        1. turnip handler

          Re: Bloody nonsense

          I know it's a shock to most of the IT world but cars are not like software.

          BUT even with your case the car companies do not instantly offer a fix to everyone, they only do that when forced; either by millions of people complaining or multiple incidents in the press.

          1. Anonymous Coward
            Anonymous Coward

            Re: Bloody nonsense

            but cars are not like software.

            They might look a bit different, and perform different tasks.. but software and a car are both products that have been paid for in the expectation it works as advertised, and is suitable for the intended use.

            1. Anonymous Coward
              Anonymous Coward

              Re: Bloody nonsense

              They pay for the software, not the support.

              Extracts from "Inviting More Heartbleed", Daniel E. Geer Jr., Poul-Henning Kamp:

              As Ken Thompson told us in his Turing Award lecture, there’s no technical escape; in strict mathematical terms, you don’t trust a program or a house unless you created it 100 percent yourself, but in reality, most of us will trust a house built by a suitably skilled professional, probably more than one we had built ourselves, even if we’ve never met the builder or he’s long since dead.

              The reason for this trust is that shoddy building work has had that crucial “or else ...” clause for more than 3,700 years:

              "If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death." ­ — Code of Hammurabi, approx. 1750 BCE

              Today, the relevant legal concept is “product liability,” and the fundamental formula is, “If you make money selling something, then you better do it well, or you will be held responsible for the trouble it causes.” For better or poorer, the only two products not covered by product liability today are religion and software, and we don’t think software is going to or should escape for much longer. Here’s a strawman proposal for how software liability regulation could be structured:

              0. Consult criminal code to see if damage caused was due to intent or willfulness.

              1. If you deliver your software with complete and buildable source code and a license that allows disabling any functionality or code the licensee decides, your liability is limited to a refund.

              2. In any other case, you’re liable for whatever damage your software causes when it’s used normally.

              Would it work? In the long run, absolutely yes. In the short run, it’s pretty certain that there will be some nasty surprises as badly constructed source code gets a wider airing. The FOSS community will, in parallel, have to be clear about the level of care it’s taken, and build environments as well as

              source code will have to be kept available indefinitely. The software houses will yell bloody murder the minute legislation like this is introduced, and any pundit and lobbyist they can afford will spew their dire predictions that “This law will mean the end of computing as we all know it!

              ”To which our considered answer will be, ”Yes, please! That was exactly the idea.”

        2. Anonymous Coward
          Anonymous Coward

          Re: Bloody nonsense

          "If I bought a car and it was found out that there was a design fault with the steering"

          Not a good analogy. If you bought a car and the door locks were subsequently found to have a security flaw, you might get a free upgrade if in warranty, but everybody else would likely have to pay.

      2. Anonymous Coward
        Anonymous Coward

        Re: Bloody nonsense

        "They pay for the software, not the support."

        If they buy directly from Microsoft, they get support too. Otherwise they should get support from the OEM that sold them Windows.

  6. Anonymous Coward
    Meh

    Although I don't agree with this...this made me smile...

    Jon Rudolph, principal software engineer at Core Security, argued that rather than "just cutting through the clutter...."

    “Core Security gives customers the ability to descramble vulnerability management noise”

    We like clutter, it allows us to sell stuff....

    I guess it would of been better for MS just to simply it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Although I don't agree with this...this made me smile...

      “Core Security gives customers the ability to descramble vulnerability management noise”

      I reckon he's been here:

      http://www.sciencegeek.net/lingo.html

      1. Terry 6 Silver badge
        Pint

        Re: Although I don't agree with this...this made me smile...

        linicks

        Quote

        "I reckon he's been here:

        http://www.sciencegeek.net/lingo.html

        "

        Thank you, a thousand times thank you.

        If only I'd had this when I was working for the LA.

        +1 and a pint

  7. adnim
    Joke

    How long

    have MS been patching Windows? Is there any code left that hasn't been patched?

    1. Mark 85

      Re: How long

      They are now patching the patches that patched the first patch.

      1. Captain DaFt

        Re: How long

        Apparently, you've never heard the official Microsoft Patch song:

        "99 little bugs in the code,

        99 little bugs,

        Take one down, patch it around,

        300 little bugs in the code!"

  8. Gray
    Windows

    That's only Phase One ...

    Phase Two will be the Premier Advantage of receiving the patches on Patch Tuesday. The non-Premier peasants can wait until the following month to receive their patches.

    Justification? Non-Premier subscribers are spared the "clutter" of patch notifications; soon they'll be spared the uncertainty of being among the bleeding-edge patch installers. Think of it as yet another leap forward by MS in their on-going effort to enhance customer experience and promote a warm & fuzzy feeling of assurance.

  9. dogged

    Alternative Statement

    In a more honest universe, Chris Betz wrote -

    "We're sick of red-top IT websites trotting out the same story every month and getting a whole bunch of internet fucktards complaining that we're fixing some bugs and claiming their OS's don't have any bugs which, incidentally, they bloody do.

    It's just that some vendors don't bother fixing them or admitting to them. Meaning Apple. Now go hassle Adobe."

  10. davcefai

    Isn't this an attempt to "monetize" bugs. (Note the z :-) )

  11. Anonymous Coward
    FAIL

    Well, it will give them an extra week of obscurity for their patches so that when they have to pull one, it only looks 1 week old instead of 2 weeks old.

  12. Terry 6 Silver badge

    foot shooting

    I like Microsoft as a general principle. I'm old enough to remember trying to make computers usable before MS came along.

    But FFS. It's as if they don't have enough to do, so they find new ways to piss people off.

    (BTW WIndows Phone 8.1 and Denim firmware update were promised for last quarter 2014 - so far it's only been put on new phones, pissing off users with existing phones. So if they want to try to compete in the phone market this is clearly yet another potshot in the toe area)

    1. Anonymous Coward
      Anonymous Coward

      Re: foot shooting

      "I'm old enough to remember trying to make computers usable before MS came along."

      So am I - the ZX80 and ZX Spectrum worked fine - also the Atari ST400. MS came along and taught people to expect computers to crash a lot. I wouldn't say that was a general principle.

      1. John Brown (no body) Silver badge

        Re: foot shooting

        "MS came along and taught people to expect computers to crash a lot."

        In the era you are comparing with, I don't recall MS-DOS crashing much at all, if ever. Nor CP/M [80|86] before that. On rare occasions 3rd party software may have crashed but the OS was fairly bullet-proof. Things only really started getting flaky when expanded/extended memory drivers started appearing.

        But no one will ever need more than 640k anyway :-)

        1. Anonymous Coward
          Anonymous Coward

          Re: foot shooting

          "I don't recall MS-DOS crashing much at all"

          Me neither - but it didn't actually do much, and was an arse to use in comparison with the other computers of that era.

          1. Chika
            Coat

            Re: foot shooting

            Yeah, MS-DOS in that era was a bit of a pig. Especially if you only had one floppy drive. Disc swapping was something of an art form back then.

        2. Chika

          Re: foot shooting

          But no one will ever need more than 640k anyway :-)

          Oh yes! I remember that one! Brought to you by the same person that, allegedly, when presented with an example of an Econet network in the dim and distant past, asked the school student that presented it; "What's a network?"

          That's our Billy!

    2. Roo
      Windows

      Re: foot shooting

      "WIndows Phone 8.1 and Denim firmware update were promised for last quarter 2014 - so far it's only been put on new phones"

      Microsoft do have some form in that particular area ...

      1. cambsukguy

        Re: foot shooting

        They roll it out in waves, and when the MNO can be arsed to 'test' it etc.

        It is like torture waiting, especially because this one has Cortana but the record of update reliability compared to others makes it acceptable to me.

        Presumably, it also lets them beta test Cortana and improve the accuracy.

        There are other neat things, like shot-to-shot times measured in milliseconds and new video features. Sadly, the picture stuff I don't get because it is only for newer phones, possibly having the sensorcore chip.

  13. Zippy's Sausage Factory
    Joke

    In other words...

    " However, NSA feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimised testing and deployment methodologies. While some customers still rely on ANS, they want the vast majority to wait for Update Tuesday, or (preferably) take no action, allowing the NSA to pwn their systems automatically."

    FTFY

  14. PNGuinn
    FAIL

    Wanted - Beta Testers

    So - let me see if I've got this right. Microsoft want to cut through the clutter of defective patches. So ther're offering their most valued customers (ie the ones they think they can rip off the most) the fantastic opportunity to become paid (ie you pay us) beta testers.

    GO!NADS.

    El Reg - we need a bad joke icon.

    1. 's water music

      Re: Wanted - Beta Testers

      So - let me see if I've got this right

      You haven't. Try rereading the article.

      I am still struggling to understand the professed point of MS doing this though.

  15. paulej72

    I am glad.

    I for one am glad they are doing this. Now the baddies can't see what vulnerabilities are being fixed and get a head start trying to find them. I know the reports were rather vague, but they did let the virus writers narrow their search window.

    1. Kiwi
      Linux

      Re: I am glad.

      But in the Linux and OSS realms, bugs are often freely and publicly discussed. Still no malware of any note there.

      (Cue comments from AC about the Morris worm in 3.. 2.. 1...)

      1. Anonymous Coward
        Anonymous Coward

        Re: I am glad.

        "Still no malware of any note there" -

        Well over 99% of mobile Malware is on OSS platforms (Android), and there have been a number of successful widespread attacks of tens of thousands of Linux systems:

        http://www.theregister.co.uk/2015/01/12/linux_vxers_hit_devs_where_it_hurts_p0rn_sites/

        But then Linux does have a lot more known holes than Windows.

  16. Britt Johnston
    Windows

    Change of policy

    If OEMs were to provide private users with a cloudburst that's robust enough to not need changing or rebooting every few weeks, this policy would be fine with me. Leave it to the professionals to get their hands oily.

  17. Anonymous Coward
    Facepalm

    And the backlash will be irresponsible disclosure of security vulnerabilities by third parties along with exploit code.

  18. Erik4872

    Maybe trying to cut down on zero-days?

    I do a lot of work on end user computing stuff, so patching Microsoft stuff is a pretty big part of routine maintenance work. Advance notification messages are pretty vague, and only give high level details about what's coming. In my experience, they're aimed at huge IT organizations that have to move heaven and earth once a month to crank up the change management engine and follow the ITIL best practice stuff to test and roll out patches. Basically, it lets the patch testing and rollout team say, "OK, what OS components do we have to target regression testing at this month?" When you support thousands of end users running hundreds of apps, you need to be selective.

    You could be cynical and say Microsoft is just trying to get companies to sign up for Premier Support (which is not cheap but very necessary in a complex MS environment.) But, is it possible that they don't even want to drop the vague hints that the ANS messages give? When you're talking about vulnerability hunts at the scale of nation-states and organized crime, could even telling them that there's a bug in this component be too much information? In my mind, that would be pretty much an open invitation to just start hammering that particular component over Pre-Patch Tuesday Weekend, and see if you can find what they found before they get a chance to release a patch.

    Seems plausible to me, they might just be adjusting to the fact that vulnerabilities aren't generally found by people living in their parents' basements anymore...they're found by companies, governments and criminal gangs first.

    1. Kiwi
      Linux

      Re: Maybe trying to cut down on zero-days?

      You could be cynical and say Microsoft is just trying to get companies to sign up for Premier Support (which is not cheap but very necessary in a complex MS environment.)

      When you're talking about vulnerability hunts at the scale of nation-states and organized crime, could even telling them that there's a bug in this component be too much information?

      they might just be adjusting to the fact that vulnerabilities aren't generally found by people living in their parents' basements anymore...they're found by companies, governments and criminal gangs first.

      But kid hacker in mom's basement won't have the finances to pay for the premier support, whereas nationstate and gang not only can afford that, they maybe can afford to bribe some MS employees as well.

  19. Anonymous Coward
    Anonymous Coward

    Ignorance is bliss...

    ... or at least higher profit margins for Microsoft. Lesser partners, those supporting SMB & SOHO are further pushed away from being forwarned about the coming attractions. If anything, it's of a piece with all the other shoves that Microsoft is giving to lesser beings to get on the Cloud Express where they don't have to worry their little heads about issues such as patching, testing, support, you know, just the grunt work.

  20. Henry Wertz 1 Gold badge

    Clutter? What a lame excuse

    Title says it all. I think "clutter" is the lamest excuse I've *EVER* heard for some company restricting information to people under a support contract. Obviously, if admins didn't want to deal with the "clutter" they were not being forced to read various blog posts with the patch lists.

  21. Dan 55 Silver badge
    FAIL

    That Nadella fella is worse than Ballmer

    Even Ballmer knew enough to keep the Trustworthy Computing group going. At the moment MS is blundering about like a wounded Ballmer when it comes to security.

    1. regadpellagru

      Re: That Nadella fella is worse than Ballmer

      Agree, here.

      In a couple of years, security patches will be paid for on top of maintenance, at MS ...

  22. Anonymous Coward
    Anonymous Coward

    We are Microsoft. Everything is always fine. Even when it is not.

    You do not need to know what we are doing.

    We always do everything promptly and perfectly.

    We never, ever release buggy bug fixes.

    We know what you want before you know what you want. Always.

    We know what you dont want before you know what you dont want.

    We have never released any software with bugs, so you need not worry about them.

    We are always right, except when we are wrong, at which point re-read this line.

    We are Microsoft. The perfectly perfect Microsoft.

    We will decide what you see, and if you will see it.

    Never ever question what we are or are not doing.

  23. Medixstiff

    Must be something in the water at M$ HQ....

    First they outsource all their Internal IT back in 2010 to India (InfoSys), they then stop TechNet and the Trustworthy Computing Programme and now this?

    I really have to wonder what's going on at M$ management as they really seem to have no clue where to go and seem to be clutching at straws. I still think the TechNet decision is going to severely bite them in the long run.

  24. ben_myers

    Microsoft Windows is clutter personified

    So we cut through the clutter how? With another operating system, maybe.

  25. ClanArmstrong

    Patches hose PC

    3 Times now I have had to rescue my machine from updates that caused hard drive issues and slowed down 8.1 in a big way. I think some of these updates that they put out corrupt files. With so much geared toward tablets etc. I notice many updates are for tablets but are destined for a PC. MSFT is probably more concerned with getting the update to work on tablets that they do not test hard enough for the PC. In addition the Windows Update program fails to load an update and crashes the app and sometimes the PC. Then you have to research and find out which update needs to go and which needs installed before the other.

    Bottom Line: Do not set Update to auto install updates of any kind. Especially Drivers. If we follow this guidance then we do not need to know in advance about updates on the home front. No Auto-Installs.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like