Adobe considers move to monthly patching

Adobe has denied that it is considering moving its security updates to a monthly schedule.

According to H-online.com, the company is currently considering reducing the interval between security updates for Adobe Reader from 90 to 30 days. It quoted Brad Arkin, Adobe's director of product security and privacy, that a monthly cycle "is one of the alternatives currently under discussion", and added that, in emergencies, Adobe is now in a position to develop patches within 15 days and to release them outside of the regular patch cycle.

He also said that in addition to Adobe Reader, the company wants to bring products such as Flash and Shockwave into the update cycle – updates for which have previously been released as needed and when ready.

A monthly schedule would see it join the likes of Microsoft and Oracle. However, a spokesperson for Adobe said: “This is something we are carefully evaluating in trying to provide the best possible solution for our customers. We are taking all factors into consideration, including the cost of patch deployment in managed environments.”

The company announced its move to a regular patching schedule a year ago, and began releasing regular patches from June 2009. 

Andrew Storms, director of security operations for nCircle, claimed that Apple and Adobe have a lot of work to do to get their patch information up to current market standards.

He said: “The bottom line is we should expect nearly all vendors to move to a regular, frequent patch release cycle. The key to making that cycle work for enterprise security teams is in the information the vendor provides (or doesn't provide, as the case may be).

“If the vendor provides enough advance notice on what they are going to patch and enough technical information, especially mitigation advice, then deployment teams can prepare for and accurately prioritise the onslaught of work.”

Nancee Melby, director of product marketing at Shavlik, claimed that as cyber criminals have turned their attention to Adobe products, this was a trend that everyone except Adobe saw coming long ago.

Melby said: “The trend was clear but Adobe was slow to take action. It was a great first step to announce a quarterly patch release schedule. But they have been sneaking updates in on Microsoft's Patch Tuesday consistently – like they did with the Adobe Shockwave 11.5.6.609 in May. Clearly, even Adobe knew their quarterly schedule wasn't responsive enough.”

“Adobe needs to quit its stubborn reliance on auto updaters – which don't cut it for businesses with more than 25 computers – and work with the rest of us to standardise their patch content and deployment methods to make it easier on system administrators to deploy these updates.”

See original article on scmagazineus.com