How Microsoft Influenced Adobe Security In a Good Way

Microsoft used to be the poster child for insecure software. Now Adobe is following in its footsteps with a set patching schedule. CSO Senior Editor Bill Brenner says Microsoft deserves credit for actually improving security

When I first started writing about information security five years ago, all a writer had to do was mention Microsoft in the same headline space as "security vulnerability" to strike page-view gold. In 2004 Microsoft was a couple years into its Trustworthy Computing Initiative but it remained the software company IT security practitioners hated with glee.

During conference keynotes and panel discussions, all someone like security luminary Bruce Schneier had to do to get applause was pan Microsoft's handling of one security incident or another.

That's not so much the case today.

Microsoft still does a lot of things to annoy people. Its release of Vista didn't go so well and the company is trying to make up for it with Windows 7.

But most will admit the software giant has made monumental security strides in recent years. One example of that has become a much-copied practice among vendors.

In 2003 Microsoft moved to a monthly security update popularly known as Patch Tuesday. Security vendors and their PR flaks have gleefully promoted it like a monthly tornado or hurricane watch ever since.

CLICK HERE for Microsoft's June 2009 security update

Oracle eventually followed Microsoft's lead by unveiling a quarterly patching cycle, and now Adobe has followed suit with its own quarterly security update, the first of which is this week.

CLICK HERE for Adobe's security bulletins and advisories page

It's an example of other vendors copying something that worked elsewhere.

Though a lot of smart people in the industry think vendors should patch individual flaws as they surface instead of saving fixes for a set day, the IT security practitioners I talk to say the set patching cycle has made their organizations more secure and their lives less chaotic.

IT shops have been able to plan around the Microsoft security updates, as well as the Oracle schedule. Adapting to Adobe's schedule shouldn't be too difficult, either.

Admins like it this way because they don't have to drop everything and scramble to test and install a surprise security update. They know when the fix is coming and how many days it will take to run them through the test beds before deploying them across the organization.

Companies have come to rely on Adobe's product line, especially Reader and Acrobat. If someone in the company opens up a .pdf file or edits a photo, they're almost always using Adobe to do it. Adobe also suffers from the frequent appearance of security holes attackers could exploit to infect machines that are incorporated into botnets and exploited in other insidious ways. [See Botnets: 4 Reasons It's Getting Harder to Find and Fight Them]

Adobe has been known to release security fixes with little warning, leaving IT shops scrambling to work the updates into already crammed schedules.

Did I mention that IT administrators loathe surprise and chaos?

Adobe deserves credit for recognizing this and moving to a set schedule that makes more sense. But Microsoft also deserves credit for adopting a security best practice others can gladly follow.

About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD -- overhyped security threats that ultimately have little impact on a CSO's daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry's most egregious FUD, send an e-mail to

Join the CSO newsletter!

Error: Please check your email address.

Tags patchingMicrosoftadobe

More about Adobe SystemsBillMicrosoftOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bill Brenner

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts