Adobe moving to monthly security patches
Taking leaf out of Microsoft's book.
By Robert McMillan, IDG News Service | Published: 10:03, 15 December 2005
Adobe has decided to follow Microsoft's lead and begin releasing security patches on a predictable monthly basis.
The monthly security updates will start within in the next six months and are expected to cover most, if not all, of Adobe's products, said Adrian Ludwig, Adobe's manager of secure software engineering.
Right now, Adobe releases security patches on an ad hoc basis, but customers have asked for a more predictable schedule, Ludwig said. "One of the comments that customers have said is, 'We don't like to be surprised'."
Though many of the details of the program are still being worked out, users are expected to be notified of the updates via the same e-mail and automatic update mechanisms available today, Ludwig said. The company has not yet decided if it will follow Microsoft's practice of releasing some details on the security patches a few days before they are released in order to give administrators a sense of the criticality of the coming update.
Adobe's recently purchase Macromedia had been planning to move to a monthly schedule in December. But those plans have been pushed back with the merger so that the alerts can be done on a company-wide basis, he said.
Though most software companies have not moved to this kind of regular patching cycle, Gartner analyst John Pescatore believes it is likely to become an industry standard. "Microsoft has so many patches it really has developed the industry-leading way of dealing with them," he said. "We're definitely seeing many vendors moving to more predictable patch release."
Moving to a predictable patch cycle, however, only solves part of the patch management problem for administrators, he said. Adobe will also need to do a good job of explaining which patches are the most critical and why, so that customers know how to prioritize the updates.
Though Oracle has moved to predictable, quarterly software updates, Pescatore said that the company still does not provide enough information for administrators to make an educated decision on whether or not they need to apply the latest patches.