July was a tough month for Adobe Systems’ security team. So tough, in fact, that the company’s second-ever quarterly patch release will arrive a month late, Adobe’s security chief said Thursday.
In June, Adobe took a cue from Microsoft, Oracle and Cisco, and said it would start delivering security updates on a regular, predictable schedule. Although most software companies roll out patches on an ad hoc basis, these predictable updates make it easier for enterprise customers to plan how they roll them out. At the time, Adobe said it would roll out its next set of patches on Sept. 8.
But that was not to be. That’s because instead of readying quarterly patches, Adobe’s security team spent most of July scrambling to fix two critical security problems: one stemming from a flaw in Microsoft’s ATL (Active Template Library) software, and the other a critical flaw in its Flash and Reader software that was being exploited in cyber-attacks.
“When we had the fire drill in July, when we were working on getting that urgent patch off out of cycle, that impacted our cycle,” said Brad Arkin, director for Product Security and Privacy.
The ATL issue was a big deal because Adobe, like other software vendors, had to comb through its source code to see which products used the buggy library component. “We went from triaging over 200 products inside Adobe to evaluate which products were potentially vulnerable to the ATL header problem, to getting out an update as soon as possible,” Arkin said.
Adobe has built time into its quarterly schedule to handle out-of-cycle updates, but there simply wasn’t enough time to handle both these major issues and the updates this quarter. So instead of a September release, Adobe’s next quarterly update will be released Oct. 13, the same day as Microsoft’s “Patch Tuesday” security release for that month.
Adobe isn’t the only company moving around its patch schedule. On Thursday, Oracle said it would be a week late with its next Critical Patch Update, now expected Oct. 20. Oracle moved the date so that its patch release would not clash with the company’s annual Oracle OpenWorld conference, held Oct. 11-15 in San Francisco.
Arkin hopes his company will ship its subsequent update three months after October, but Adobe will lock down that date when it ships the Oct. 13 patches. “For us this is an ongoing process,” he said. “We’re working with the customers to give them as much notice as we can.”
He said it’s possible that future updates could be delayed as well. “Our plan is to [release updates] each quarter, and if we ever need to change the communicated schedule, we’ll make that news available as soon as we can.”
That’s a good idea, because customers like their security patches to be as predictable as possible, according to David Marcus, security research manager with McAfee Avert Labs. “Inconsistency in a regular patch cycle is just not helpful to enterprises.”