Patch scramble throws Adobe updates off schedule
IDG News Service - July was a tough month for Adobe Systems' security team. So tough, in fact, that the company's second-ever quarterly patch release will arrive a month late, Adobe's security chief said Thursday.
In June, Adobe took a cue from Microsoft, Oracle and Cisco, and said it would start delivering security updates on a regular, predictable schedule. Although most software companies roll out patches on an ad hoc basis, these predictable updates make it easier for enterprise customers to plan how they roll them out. At the time, Adobe said it would roll out its next set of patches on Sept. 8.
But that was not to be. That's because instead of readying quarterly patches, Adobe's security team spent most of July scrambling to fix two critical security problems: one stemming from a flaw in Microsoft's ATL (Active Template Library) software, and the other a critical flaw in its Flash and Reader software that was being exploited in cyber-attacks.
"When we had the fire drill in July, when we were working on getting that urgent patch off out of cycle, that impacted our cycle," said Brad Arkin, director for Product Security and Privacy.
The ATL issue was a big deal because Adobe, like other software vendors, had to comb through its source code to see which products used the buggy library component. "We went from triaging over 200 products inside Adobe to evaluate which products were potentially vulnerable to the ATL header problem, to getting out an update as soon as possible," Arkin said.
Adobe has built time into its quarterly schedule to handle out-of-cycle updates, but there simply wasn't enough time to handle both these major issues and the updates this quarter. So instead of a September release, Adobe's next quarterly update will be released Oct. 13, the same day as Microsoft's "Patch Tuesday" security release for that month.
Adobe isn't the only company moving around its patch schedule. On Thursday, Oracle said it would be a week late with its next Critical Patch Update, now expected Oct. 20. Oracle moved the date so that its patch release would not clash with the company's annual Oracle OpenWorld conference, held Oct. 11-15 in San Francisco.
Arkin hopes his company will ship its subsequent update three months after October, but Adobe will lock down that date when it ships the Oct. 13 patches. "For us this is an ongoing process," he said. "We're working with the customers to give them as much notice as we can."
He said it's possible that future updates could be delayed as well. "Our plan is to [release updates] each quarter, and if we ever need to change the communicated schedule, we'll make that news available as soon as we can."
That's a good idea, because customers like their security patches to be as predictable as possible, according to David Marcus, security research manager with McAfee Avert Labs. "Inconsistency in a regular patch cycle is just not helpful to enterprises."
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts