Patch scramble throws Adobe updates off schedule
IDG News Service - July was a tough month for Adobe Systems' security team. So tough, in fact, that the company's second-ever quarterly patch release will arrive a month late, Adobe's security chief said Thursday.
In June, Adobe took a cue from Microsoft, Oracle and Cisco, and said it would start delivering security updates on a regular, predictable schedule. Although most software companies roll out patches on an ad hoc basis, these predictable updates make it easier for enterprise customers to plan how they roll them out. At the time, Adobe said it would roll out its next set of patches on Sept. 8.
But that was not to be. That's because instead of readying quarterly patches, Adobe's security team spent most of July scrambling to fix two critical security problems: one stemming from a flaw in Microsoft's ATL (Active Template Library) software, and the other a critical flaw in its Flash and Reader software that was being exploited in cyber-attacks.
"When we had the fire drill in July, when we were working on getting that urgent patch off out of cycle, that impacted our cycle," said Brad Arkin, director for Product Security and Privacy.
The ATL issue was a big deal because Adobe, like other software vendors, had to comb through its source code to see which products used the buggy library component. "We went from triaging over 200 products inside Adobe to evaluate which products were potentially vulnerable to the ATL header problem, to getting out an update as soon as possible," Arkin said.
Adobe has built time into its quarterly schedule to handle out-of-cycle updates, but there simply wasn't enough time to handle both these major issues and the updates this quarter. So instead of a September release, Adobe's next quarterly update will be released Oct. 13, the same day as Microsoft's "Patch Tuesday" security release for that month.
Adobe isn't the only company moving around its patch schedule. On Thursday, Oracle said it would be a week late with its next Critical Patch Update, now expected Oct. 20. Oracle moved the date so that its patch release would not clash with the company's annual Oracle OpenWorld conference, held Oct. 11-15 in San Francisco.
Arkin hopes his company will ship its subsequent update three months after October, but Adobe will lock down that date when it ships the Oct. 13 patches. "For us this is an ongoing process," he said. "We're working with the customers to give them as much notice as we can."
He said it's possible that future updates could be delayed as well. "Our plan is to [release updates] each quarter, and if we ever need to change the communicated schedule, we'll make that news available as soon as we can."
That's a good idea, because customers like their security patches to be as predictable as possible, according to David Marcus, security research manager with McAfee Avert Labs. "Inconsistency in a regular patch cycle is just not helpful to enterprises."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts