Hyphenet's IT Blog: Microsoft Patch Inconsistencies

It's been a busy week for Microsoft. The email patch on Tuesday was stopped by Microsoft, then they changed their mind. The Redmondians (Microsoft's headquarters ) sent out a decree last Friday stating that email notifications of security advisories are coming to a stop on July 1st. The decree mentions "changing governmental policies concerning the insurance of automated electronic messaging". This new Canadian anti-spam law takes effect on July 1st. The announcement is as followed:

Notice to IT professionals:

As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following:

* Security bulletin advance notifications

* Security bulletin summaries

* New security advisories and bulletins

* Major and minor revisions to security advisories and bulletins

The new law attempts to rid of annoying spam email, it is required to consent for a commercial business to communicate through email, text message and social media messages. Canada's moving from email opt-OUT to email opt-IN. Penalties stated in the notice say, if your business sends a notice of a special sale to someone who only signed up for an e-newsletter, and the party complains then:

Your business may be fined up to $10,000,000
Your CEO, and each officer, may be fined up to $1,000,000
Your Marketing Agency may be fined up to $10,000,000
You, as an individual, may be fined $10,000

Canada couldn't understand how Microsoft could be misreading the law like this. Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email (CAUCE), and CASL accommodates emails concerning warranty and product safety and security alerts. This means Microsoft's security advisories would be exempt.

He quotes Schwartzman:

I am at a complete and total loss to understand how the people in Redmond made such an apparently panicked decision ... This is the first company I know of that’s been that dumb.
CAUCE board member Jeff Williams, a former group program manager at Microsoft’s Malware Protection Center, told Krebs that Microsoft’s decision likely could be attributed to having come out of a tough choice rather than a lack of legal understanding or grey matter:

I can imagine the discussion and wondering among the lawyers and [Microsoft] whether they should try to get hundreds of millions of opt-ins before June 30 or if they should change the way they share info. I’m sure it wasn’t an easy decision, but I wouldn’t call it an overreaction.
But, fear not, Microsoft has now performed a restart on its security notifications. A spokesperson told Brian Krebs late yesterday that Microsoft will be re-starting its emails early in July.

On June 27, 2014, Microsoft notified customers that we were suspending Microsoft Security Notifications due to changing governmental policies concerning the issuance of automated electronic messaging. We have reviewed our processes and will resume these security notifications with our monthly Advanced Notification Service (ANS) on July 3, 2014. [via: NakedSecurity]

We stay up-to-date on patches and notifications, stay tunes with us for more updates! Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+. Referenced: Vaas, Lisa Microsoft stops Patch Tuesday emails, blames Canada, then does U-turn http://nakedsecurity.sophos.com/2014/07/01/microsoft-stops-patch-tuesday-emails-blames.../ Published: July 1, 2014