Patch scramble throws Adobe updates off schedule

The company had to handle two major security problems in July instead of readying its second-ever quarterly patch release

July was a tough month for Adobe Systems' security team. So tough, in fact, that the company's second-ever quarterly patch release will arrive a month late, Adobe's security chief said Thursday.

In June, Adobe took a cue from Microsoft, Oracle and Cisco, and said it would start delivering security updates on a regular, predictable schedule. Although most software companies roll out patches on an ad hoc basis, these predictable updates make it easier for enterprise customers to plan how they roll them out. At the time, Adobe said it would roll out its next set of patches on Sept. 8.

But that was not to be. That's because instead of readying quarterly patches, Adobe's security team spent most of July scrambling to fix two critical security problems: one stemming from a flaw in Microsoft's ATL (Active Template Library) software, and the other a critical flaw in its Flash and Reader software that was being exploited in cyber-attacks.

"When we had the fire drill in July, when we were working on getting that urgent patch off out of cycle, that impacted our cycle," said Brad Arkin, director for Product Security and Privacy.

The ATL issue was a big deal because Adobe, like other software vendors, had to comb through its source code to see which products used the buggy library component. "We went from triaging over 200 products inside Adobe to evaluate which products were potentially vulnerable to the ATL header problem, to getting out an update as soon as possible," Arkin said.

Adobe has built time into its quarterly schedule to handle out-of-cycle updates, but there simply wasn't enough time to handle both these major issues and the updates this quarter. So instead of a September release, Adobe's next quarterly update will be released Oct. 13, the same day as Microsoft's "Patch Tuesday" security release for that month.

Adobe isn't the only company moving around its patch schedule. On Thursday, Oracle said it would be a week late with its next Critical Patch Update, now expected Oct. 20. Oracle moved the date so that its patch release would not clash with the company's annual Oracle OpenWorld conference, held Oct. 11-15 in San Francisco.

Arkin hopes his company will ship its subsequent update three months after October, but Adobe will lock down that date when it ships the Oct. 13 patches. "For us this is an ongoing process," he said. "We're working with the customers to give them as much notice as we can."

He said it's possible that future updates could be delayed as well. "Our plan is to [release updates] each quarter, and if we ever need to change the communicated schedule, we'll make that news available as soon as we can."

That's a good idea, because customers like their security patches to be as predictable as possible, according to David Marcus, security research manager with McAfee Avert Labs. "Inconsistency in a regular patch cycle is just not helpful to enterprises."

Join the CSO newsletter!

Error: Please check your email address.

Tags securityadobe

More about Adobe SystemsAdobe SystemsATLAvertCiscoMcAfee AustraliaMicrosoftOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert McMillan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place