May 13, 2009, 6:22PM
Patch Tuesday barrage: A bad case of amnesia
Comment Guest editorial by Andrew Storms
Yesterday was a perfect example of the lack of communication between software vendors and their customers about security. Three vendors released major patches for serious bugs, all within hours of each other.
You would think that customers would be a high priority for all vendors, especially in this economy. All vendors certainly give lip service to doing the right thing by their customers; unfortunately, most have a bad case of amnesia when it comes to security.
I can't think of any reason for Oracle and Microsoft to release patches on the same day as they did last month. Even worse, three vendors -- Apple, Adobe and Microsoft -- all released patches yesterday. Of these, only Microsoft had a scheduled release that IT teams could plan for. Adobe did a better job communicating this month than they did last month, but releasing on the same day as Microsoft was a bad idea because it makes hash out of everyone's resource plans for the week. Adobe probably felt they were in the clear given Microsoft's small release of a single bulletin, but they were trumped within minutes by the massive Apple OS update containing fixes for 67 documented vulnerabilities (CVEs).
Editor's Pick
SEE: Adobe joins Patch Tuesday barrage
Why do vendors do this? They know they are going to release a patch and they can certainly communicate with their customers about what to expect. IT security teams that have all three software packages in-house are forced to expeditiously choose which set of patches to roll out first. And these decisions often come at the expense of other internal IT projects.
It is important to receive security patches quickly. More importantly, if you are in lockstep with your vendor's bug fix cycle, then both vendor and consumer can deliver on expected outcomes. Why not assume that your customers would like to plan to have the resources available to install your patch as soon as you release it? And why not assume that your customers' IT teams have a hundred other things to do besides patch your product?
RELATED:
* Andrew Storms is nCircle’s Director of Security Operations. He is responsible for the definition and enforcement of the company’s security compliance programs as well as overseeing day-to-day operations for the Information Technology department.
Commenting on this Article is closed.
Today's Most Popular
- Yahoo Includes Private Key in Source File For Axis Chrome Extension
- Researchers Unveil New Way to Trust Certificates
- DNSChanger Lingers: 330k Systems Still Infected, 77,000 In The U.S.
- Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops
- FBI Warns Top Firms Of Anonymous Protest Hacks on May 25
Most Commented Stories
-
Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest (10)
-
Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops (14)
-
Facebook Cancellation Malware Disguised As Adobe Update Making Rounds (3)
-
HULK DDoS Tool Smash Web Server, Server Fall Down (4)
-
How to Break Google Chrome in Six Easy Steps (2)
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
21%
Only connect to password-protected, secure connections
39%
Only use websites with HTTPS
27%
I don’t pay attention to how I access the internet while traveling
13%
Total votes: 70
Follow Threatpost
 |  |  |  |
| Tumblr |
