Adobe has synced its Flash update process to Microsoft's Patch Tuesday. How should enterprises adjust their patch management programs as a result?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Adobe Systems Inc. now issues its security updates on the second Tuesday of each month, in tandem with Microsoft's Patch Tuesday. Previously, Adobe released Flash bug fixes at irregular intervals, but this synchronization became essential when Microsoft announced that Internet Explorer (IE) 10 for Windows 8 and Windows RT would include an embedded version of Flash.
Without tight coordination between Microsoft and Adobe, there could be a potential lag between the two sets of updates during which hackers could possibly exploit IE via Flash. Back in September, for example, hackers had a window of opportunity to exploit a vulnerability patched by Adobe but not Microsoft. Microsoft was forced to release an unexpected update in a rare departure from its Patch Tuesday timetable.
Thanks to Adobe's patching schedule, enterprise IT staffs have a little more work to do on Patch Tuesday. However, having updates concentrated on a single day will help lighten the load when it comes to third-party patch management. As a regular part of Patch Tuesday, updates from Adobe are more predictable. With staff and resources already in place to test and apply Microsoft updates, the review and rollout decision for Adobe can be made at the same time.
Leveraging existing processes and resources to get desktops updated as quickly as possible also means that Flash updates are more likely to reach more users. Google may well follow suit and adopt Microsoft's Patch Tuesday as Flash Player is embedded in its Chrome Web browser, too. Chrome is currently patched several times each month with no set schedule.
Windows 8 and Windows RT users can obtain Flash updates for IE10 via the Windows Update service, while others can either download the updated plug-in from Adobe's website or use the Flash updating tool. Adobe said that it would, if necessary, issue emergency updates outside of Microsoft's schedule to combat zero-day bugs. Administrators, therefore, still need to stay tuned to Adobe's Security Notification Service to keep on top of new vulnerabilities and Adobe's proposed mitigation strategy and timetable.
As part of Microsoft's Active Protections Program (MAPP), select security vendors are provided with pre-patch information to give them time to write detection signatures for upcoming exploits or malware. Adobe has used MAPP to deliver vulnerability information about its own products for a couple of years, but, again, synchronization with Microsoft can only make life easier for AV vendors. When vendors give advance notification of a patch being released, security teams can plan accordingly, which is a better situation for everyone.
With all these changes to patch update processes, it is a good time to audit how installed programs are updated and check that they are all, in fact, up to date. Any programs that haven't been updated should be investigated to ensure that the update process is still working correctly.
This was first published in April 2013