Patch-pouncing security vendors limber up

The latest sport I’ve noticed on the technology newswires is known as ‘patch-pouncing’. This is the practice adopted by certain security and IT administration and/or management software vendors of monitoring the monthly patch releases and making pithy comments on the general state of ensuing IT vulnerability.

The latest sport I’ve noticed on the technology newswires is known as ‘patch-pouncing’. This is the practice adopted by certain security and IT administration and/or management software vendors of monitoring the monthly patch releases and making pithy comments on the general state of ensuing IT vulnerability.

Patch-pouncing professionals can often be seen limbering up right around Patch Tuesday, which as you will know is the second Tuesday of each month and the day on which Microsoft releases security patches in the form of bug fixes, performance tweaks and, we hope, no software regressions that simply put us further behind than when we first started.

Winning techniques deployed by some of the most elite patch-pouncers currently playing in the competitive leagues (sponsored by Nicorette) today include the ‘too much – too little trade off’. This practice involves commenting on the balance between Microsoft’s patches (if they are comparatively small) and those released by, say, Adobe and Oracle.

The trade off argument rests on whether it is better to have a month in which very few patches are available, so that IT administrators have an easy time of it with not so many updates to action – and on the other hand, the too many updates scenario where multiple instances of zero-day vulnerability have been detected.

Endpoint management and security vendor Lumension this month commented that, “Despite Microsoft opening the year with minimal patches, January is laden with critical fixes from Adobe and Oracle to compensate.” So a poor performance in the first half (of the month) there from Microsoft with the other teams clearly at the top of their game.

Commenting on the month’s overall league table and general team match-fitness, Matthew Walker, Lumension’s regional director for UK & Ireland told Sky Sports, ZDNetUK and Patch365.com that, “Adobe has had to provide several fixes for critical vulnerabilities in Adobe Reader 9.2 and Acrobat 9.2 for Windows, Macintosh and UNIX and Adobe Reader 8.1.7 and Acrobat 8.1.7 for Windows and Macintosh, which can cause applications to crash and provides an attacker with access to take control of the system. Three of the 24 Oracle fixes have Oracle’s highest severity rating, 10.0, affecting Listener, Secure Backup and JRockit.”

So a good month overall then, some strong performances from Adobe and Oracle, but Microsoft will no doubt be looking to steal a charge with some of the Office 2010 team already feeding back patch maneuvers to the current Office Ultimate 2007 team.

As for next month, much of the action may depend on which lead developers are enticed by the opportunity to change sides. But once the transfer window is closed it looks like the season will shape up to be one to remember.

IMAGE DESCRIPTION'

Free Image: Wikimedia Commons