Lately a handful of so-called experts have railed against information security media outlets like SearchSecurity.com for providing diligent, voluminous coverage of the never-ending stream of scheduled security patches from vendors like Adobe, Oracle and, of course, Microsoft.
Getting an independent 'second opinion' on what is or isn't important in a given patch cycle is a helpful way to verify that the vendor's recommendations are the best course of action.
As our readers know, the wide use of these vendors' products has spawned a nation of underground black hats who constantly fish for new flaws in Windows, Flash Player, Oracle Database, and so on, to exploit for their own profit.
Microsoft, in response, was the first of the major software vendors to issue regularly scheduled software security patches, settling in 2003 on a monthly cycle, with other vendors more recently following suit with monthly or quarterly updates. These patch release strategies have been criticized over the years, but they have by and large helped enterprises more easily plan and manage an ever-increasing volume of necessary software updates.
What most of the grizzled, out-of-touch security industry veterans I alluded to above fail to realize, however, is that while the finer points of the scheduled security patch process may seem mind-numbingly mundane to those who haven't rolled up their sleeves and rolled out a patch lately, the reality is that independent, unbiased news coverage of these updates is critical to infosec practitioners and managers. Let me offer a few reasons why.
First, it's important simply to know when patches will be released. The vendors try to keep their customers in the loop with reminders and advances, but they don't always do so effectively. Plus with all the other day-to-day security issues enterprises face, it's easy to overlook, for instance, when the second Tuesday of the month is just around the corner. (That's why, in addition to covering Microsoft's Patch Tuesday announcement each month, we also write about the advance notification bulletin the software giant releases the Thursday before). News organizations try to help by providing a gentle reminder.
Similarly, deciphering vendor patch bulletins (never mind applying them) can be a full-time job in itself. Have you ever read an Oracle patch update advisory? You'd think Dante Alighieri himself were writing them. Security pros should of course immerse themselves in the details, but it's important to have news coverage that summarizes the key points and offers a starting point for analysis.
Third, not every patch is created equal. As hard as vendors try to restrict patch releases to their normal update cycles, those plans often change, and change rapidly. Urgent updates -- especially those addressing zero-days or other flaws for which exploits are in the wild -- originally intended for a scheduled release are often expedited and released early. That very scenario played out this week with its out-of-band security fix for a Flash Player zero-day flaw. As a key service to our readers, we try to make sure that sort of urgent information is publicized quickly and prominently.
Finally, and this may be hard to believe, but it's not always wise or feasible to take a vendor's own patch guidance on faith. Getting an independent "second opinion" on what is or isn't important in a given patch cycle is a helpful way to verify that the vendor's recommendations are the best course of action for a given enterprise. Sometimes complications arise as well, such as the Blue Screen of Death following Microsoft's February patch release, and it's critical to get an independent take on whether to implement the patches as planned or put a patch release on hold.
"There is always a need for external reporting as it brings a different view, a more honest view, an independent view," said Susan Bradley, an IT administrator based in Fresno, Calif. "It's not good to read only vendor stuff; they have a vested interest in making the conversation look their way. There's always another side to a story and it's really, really good as a risk evaluator to understand that other side."
There are many other good reasons why it's important for the industry at large to make use of the infosec news resources out there (though preferably SearchSecurity.com) to keep tabs on patch-related news. For most of our readers, my arguments are merely a reminder of the obvious. As those who don't find that coverage exciting anymore and perhaps want us to focus on news that's a little more "interesting?" All I can say is, as the ancient Chinese proverb states, "May you live in interesting times."
Eric B. Parizo is senior site editor of SearchSecurity.com. His rants can also be heard each month on SearchSecurity.com's Security Squad podcast.