Can delaying the release of updates improve security?

Stephen Withers
Monday, 25 May 2009 12:58

Opinion and Analysis

Adobe is planning to switch to a quarterly security update cycle. Does that make you feel more or less secure?

My reaction to Adobe's security effort is mixed. Indeed, two of the three prongs seem to be at odds with each other.

The work to make products more secure is of course welcome, and it's good to hear that modern processes are being applied to old code - notably in the area of input validation.

If you make sure that all inputs are well-formed before doing any processing, it becomes much harder to feed malformed data to a function with the goal of causing an overflow or other error condition.

The company is also aiming to respond more rapidly to 'incidents', including the simultaneous release of patches for more versions of the affected software.

But this is where the message seems to be at cross purposes. Adobe has also announced that it will soon switch from making patches available as soon as they are ready to a quarterly cycle.

I can understand the decision to align release dates with Microsoft's Patch Tuesday so enterprise users can test and apply patches from both companies at the same time, but it seems strange to delay the release of updates for - potentially - months rather than weeks, as would be the case with a monthly cycle.

But generally speaking, corporate PCs seem less likely to be the ones spewing out spam under the influence of malware. If the spam headers I receive are anything to go by, that seems to be largely the domain of privately owned computers.

So why make a change to suit the part of the market that's not the biggest part of the problem? (Perhaps it has something to do with highly targeted attacks on executives, using documents names specifically to tempt them?)

Being widely used, Adobe's software is an obvious target for the Bad Guys, so we really don't want to wait longer than absolutely necessary for updates whenever a new vulnerability is discovered.