Microsoft's decision to cease Patch Tuesday notices to non-premier customers is a greed-induced step backwards for the firm's security efforts, according to security experts.
Microsoft announced plans to stop offering non-paying customers advanced patch notifications on 9 January, having previously provided free information via its Advance Notification Service (ANS).
The ANS service allowed businesses to examine updates to check whether they would cause problems with their systems.
Chris Betz, senior director of Microsoft's Security Response Center, said in a blog post that the company believes the majority of customers do not need the ANS information and let the updates happen automatically.
“Customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimised testing and deployment methodologies,” he said.
However, the decision to limit notifications to premier customers caused ripples within the security community. Some have argued the move was against the edict Microsoft founder Bill Gates gave when setting up the firm's Trustworthy Computing (TwC) division.
TwC was established in 2002 to improve the security of Microsoft's products and services, and to oversee the firm's monthly Patch Tuesday update cycle.
Ross Barrett, senior manager of security engineering at Rapid7, said the move is a sign Microsoft cares more about revenue targets than improving the world's cyber security.
"This is a controversial month for Microsoft. Beyond their changes to their Advance Notification service they have been publicly sparring with security researchers over disclosure procedures," he said.
"It seems that Microsoft's trend towards openness in security has reversed and the company that was formerly doing so much right, is taking a less open stance with patch information.
"It is extremely hard to see how this benefits anyone other than, maybe, whoever is responsible for support revenue targets for Microsoft."
CTO at security firm Lancope, TK Keanini, agreed, pointing out Microsoft's free service has proven a valuable asset for security professionals.
"If we put the free or pay issue aside, I think we can all agree that this information around Patch Tuesdays has been useful and will continue to be valued," he said.
"If I had to guess, this is more about cutting costs than it is revenue generating.
"I'm sad to see this service go away as it has built up an information system where social media, PR, vendors, IT departments all have a special day on their calendar for the event."
Technical director of Tenable Network Security Gavin Millard added the lack of early warnings will leave many firms in a difficult position when dealing with future security releases from Microsoft.
"When the next major vulnerability hits a Microsoft product, organisations scrambling to patch the affected systems will be at a disadvantage," he said.
"Many will face the difficult decision of either deploying the patch quickly, blindly trusting the fact that the fix is bug free, or leaving holes whilst systems are spun up to verify no issues will be caused by rolling out the patch across the enterprise."
Some researchers, however, argue the move does not spell disaster for the security community.
Imperva CTO Amichai Shulman said Microsoft's Active Protections Program (MAPP) is a superior option for IT managers.
"I think that in reality the 'advanced' notice organisations get from vendors such as MS, Oracle, IBM and others have not proven to improve the patching cycle or the security posture of systems," he said.
"I think that MS of all vendors have found the way to work with security vendors in advance of releasing the patch, through their MAPP initiative to ensure that virtual machine are ready for distribution once the patch is out (and attacker can reconstruct the vulnerability)."
Principal systems engineer at Bromium, Fraser Kyne, made a similar point, arguing: "Perhaps people should invest in tools that make these vulnerabilities moot and make patching something you do at your leisure for new features rather than security fixes.
"Micro-virtualization is an example of a methodology that can change the game here."
Microsoft's change in policy comes amid high-profile breaches and attacks on companies and government bodies, including Sony, which have led many experts to urge businesses to rethink their security strategies.
US president Barack Obama outlined plans for an improved data breach reporting system for businesses on 14 January.
RISC OS 5 to form the basis of RISC OS Open after Castle Technology sells to RISC OS Developments
A smartphone maker fiddling its benchmarking scores? That's unusual, isn't it?
'We are making good progress on 10nm,' claims Intel
Engineer calculates that Chengdu's plan to replace streetlights with artificial moonlight would cost $100bn