May 13, 2009, 6:22PM
Patch Tuesday barrage: A bad case of amnesia
Comment Guest editorial by Andrew Storms
Yesterday was a perfect example of the lack of communication between software vendors and their customers about security. Three vendors released major patches for serious bugs, all within hours of each other.
You would think that customers would be a high priority for all vendors, especially in this economy. All vendors certainly give lip service to doing the right thing by their customers; unfortunately, most have a bad case of amnesia when it comes to security.
I can't think of any reason for Oracle and Microsoft to release patches on the same day as they did last month. Even worse, three vendors -- Apple, Adobe and Microsoft -- all released patches yesterday. Of these, only Microsoft had a scheduled release that IT teams could plan for. Adobe did a better job communicating this month than they did last month, but releasing on the same day as Microsoft was a bad idea because it makes hash out of everyone's resource plans for the week. Adobe probably felt they were in the clear given Microsoft's small release of a single bulletin, but they were trumped within minutes by the massive Apple OS update containing fixes for 67 documented vulnerabilities (CVEs).
Editor's Pick
SEE: Adobe joins Patch Tuesday barrage
Why do vendors do this? They know they are going to release a patch and they can certainly communicate with their customers about what to expect. IT security teams that have all three software packages in-house are forced to expeditiously choose which set of patches to roll out first. And these decisions often come at the expense of other internal IT projects.
It is important to receive security patches quickly. More importantly, if you are in lockstep with your vendor's bug fix cycle, then both vendor and consumer can deliver on expected outcomes. Why not assume that your customers would like to plan to have the resources available to install your patch as soon as you release it? And why not assume that your customers' IT teams have a hundred other things to do besides patch your product?
RELATED:
* Andrew Storms is nCircle’s Director of Security Operations. He is responsible for the definition and enforcement of the company’s security compliance programs as well as overseeing day-to-day operations for the Information Technology department.
Commenting on this Article is closed.
Today's Most Popular
- Adobe's Security Chief Talks About Driving Up The Cost of Exploits
- Twenty Something Asks Facebook For His File And Gets It - All 1,200 Pages
- New Tool Cracks Apple iWork Passwords
- Google: Bug Bounty Program Has Made Users Safer
- After Damaging Reports, Electronics Manufacturing Giant Foxconn Is Hacked
Most Commented Stories
-
Attackers Using Fake Google Analytics Code to Redirect Users to Black Hole Exploit Kit (7)
-
Flash With Sandbox in the Works for Firefox (4)
-
Apple Ships Huge Set of Patches for OS X (7)
-
Twenty Something Asks Facebook For His File And Gets It - All 1,200 Pages (55)
-
EU Asks Google to Delay Privacy Policy Changes (2)
Newsletter Sign-up
Take Our Poll
Follow Threatpost
 |  |  |  |
| Tumblr |
