Adobe has become the third major software vendor to begin shipping its security updates on a regular schedule. Following the lead of Microsoft and Oracle, who have been releasing patches on a set schedule for many years, Adobe now will ship its patches once per quarter. It’s a move that’s overdue for Adobe and one that other vendors (read: Apple) would do well to follow.
It was not that long ago that the idea of a software vendor releasing patches on a set schedule seemed unnecessary, if not downright silly. Even the largest vendors were not shipping enough security fixes to make such a schedule worthwhile. Microsoft, with its enormous product set and well-chronicled security problems in the early part of this decade, was in the habit of releasing patches whenever they were ready, and it mostly worked.
But once the company began taking security more seriously in the form of its Trustworthy Computing program and started to thaw relations with the security research community, the number of security patches grew quickly and customers told Redmond that they were being overwhelmed. Admins could no longer deal with patches coming out with little or no notice. They needed fair warning in order to schedule downtime and test and deploy the numerous fixes that were coming down the pike every month. So Microsoft got the hint and started shipping patches once a month and eventually giving pre-release notice of how many patches were coming and for which applications.
And it worked. The program brought order and predictability to the patching process and improved the deployment rate of Microsoft’s patches. Oracle followed suit a couple of years later, announcing that it would begin releasing its patches on a quarterly basis. And that worked, too.
Both vendors have come under criticism at various times for being too reluctant to release emergency patches outside of their normal schedules. It’s a legitimate concern. In fact, I wrote a column two years ago saying that Microsoft should scrap Patch Tuesday and go back to fixing vulnerabilities as they crop up. Boy, was I wrong. I still think Microsoft, Oracle, Adobe and the rest of the vendor community could do better at getting emergency patches out more quickly, but the value of having regularly scheduled patch releases clearly outweighs the drawbacks.
It’s encouraging to see Adobe making the switch. The company has taken a lot of hits recently for not being transparent or responsive enough about its security patching process, and, as was the case with Microsoft and Oracle, it seems that pressure from customers and researchers has helped bring about the change.
Now, the spotlight is shining on Apple. The notoriously opaque and secretive company has been conspicuously quiet on most security issues, a fact that was highlighted again this week by the revelation of a serious Java vulnerability in OS X that has gone unpatched for nearly six months. Apple just released a new version of the operating system last week, which is still vulnerable to the attack. The company is loath to follow anyone else’s lead, let alone Microsoft’s, but in the case of regular security updates, Apple should swallow its pride and get with the program.