How Microsoft Influenced Adobe Security (In a Good Way)

When I first started writing about information security five years ago, all a writer had to do was mention Microsoft in the same headline space as “security vulnerability” to strike page-view gold. In 2004 Microsoft was a couple years into its Trustworthy Computing Initiative but it remained the software company IT security practitioners hated with glee.

During conference keynotes and panel discussions, all someone like security luminary Bruce Schneier had to do to get applause was pan Microsoft’s handling of one security incident or another. [More on Bruce Schneier: Security ROI: Fact or Fiction?]

That’s not so much the case today.

Microsoft still does a lot of things to annoy people. Its release of Vista didn’t go so well and the company is trying to make up for it with Windows 7.

But most will admit the software giant has made monumental security strides in recent years. One example of that has become a much-copied practice among vendors.

In 2003 Microsoft moved to a monthly security update popularly known as Patch Tuesday. Security vendors and their PR flaks have gleefully promoted it like a monthly tornado or hurricane watch ever since. [Read about the Patch Tuesday hype machine]

CLICK HERE for Microsoft’s June 2009 security update

Oracle eventually followed Microsoft’s lead by unveiling a quarterly patching cycle, and now Adobe has followed suit with its own quarterly security update, the first of which is this week.

CLICK HERE for Adobe’s security bulletins and advisories page

It’s an example of other vendors copying something that worked elsewhere.

Though a lot of smart people in the industry think vendors should patch individual flaws as they surface instead of saving fixes for a set day, the IT security practitioners I talk to say the set patching cycle has made their organizations more secure and their lives less chaotic.

IT shops have been able to plan around the Microsoft security updates, as well as the Oracle schedule. Adapting to Adobe’s schedule shouldn’t be too difficult, either.

Admins like it this way because they don’t have to drop everything and scramble to test and install a surprise security update. They know when the fix is coming and how many days it will take to run them through the test beds before deploying them across the organization.

Companies have come to rely on Adobe’s product line, especially Reader and Acrobat. If someone in the company opens up a .pdf file or edits a photo, they’re almost always using Adobe to do it. Adobe also suffers from the frequent appearance of security holes attackers could exploit to infect machines that are incorporated into botnets and exploited in other insidious ways. [See Botnets: 4 Reasons It’s Getting Harder to Find and Fight Them]

Adobe has been known to release security fixes with little warning, leaving IT shops scrambling to work the updates into already crammed schedules.

Did I mention that IT administrators loathe surprise and chaos?

Adobe deserves credit for recognizing this and moving to a set schedule that makes more sense. But Microsoft also deserves credit for adopting a security best practice others can gladly follow.

About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD — overhyped security threats that ultimately have little impact on a CSO’s daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry’s most egregious FUD, send an e-mail to bbrenner@cxo.com.