Adobe moving to monthly security patch schedule

Adobe Systems Inc. is taking a page from Microsoft Corp.'s playbook. Next year, the San Jose, California, company will begin releasing security patches on a predictable, monthly basis, much as Microsoft has been doing since October 2003.

The monthly security updates will start sometime in the next six months and are expected to cover most, if not all, of Adobe's products, said Adrian Ludwig, Adobe's manager of secure software engineering.

Right now, Adobe releases security patches on an ad hoc basis, but customers have asked for a more predictable schedule, Ludwig said. "One of the comments that customers have said is, 'We don't like to be surprised.'"

Though many of the details of the program are still being worked out, users are expected to be notified of the updates via the same e-mail and automatic update mechanisms available today, Ludwig said. The company has not yet decided if it will follow Microsoft's practice of releasing some details on the security patches a few days before they are released in order to give administrators a sense of the criticality of the coming update.

Macromedia Inc., which was recently acquired by Adobe, had been planning to move to a monthly schedule in December. But with the merger, those plans have been pushed back so that the monthly alerts can be done on a company-wide basis, he said.

Though most software companies have not moved to this kind of regular patching cycle, Gartner Inc. analyst John Pescatore [cq] believes that it is likely to become an industry standard. "Microsoft has so many patches it really has developed the industry-leading way of dealing with patches," he said. "We're definitely seeing many vendors moving to more predictable patch release."

Moving to a predictable patch cycle, however, only solves part of the patch management problem for administrators, he said. Adobe will also need to do a good job of explaining which patches are the most critical and why, so that customers know how to prioritize the updates.

"We consider it a very good thing to be regular and predictable," Pescatore said. However, he said that analysts also would like to see Adobe "provide enough information to let enterprise administrators make their own decision."

Though Oracle Corp. has moved to predictable, quarterly software updates, Pescatore said that the company still does not provide enough information for administrators to make an educated decision on whether or not they need to apply the latest patches. "They say, 'We don't want to give out any information. That will help the bad guys.'"