Security Watch

16 Patches: So, Are We Losing The Security Battle?

• By Jabulani Leffall
• 10/12/2010

Almost 50 vulnerabilities addressed in one month.

What?

Sixteen patches.

Huh?

That was the symbolic reaction of many Windows security observers when Redmond dropped its advanced bulletin on our heads last Thursday.

It's a heavy burden for just this month. But what does it mean in the aggregate for patch management and in the long term for security? When all is said and done, 2010 will be remembered as a banner year for bulky patch releases, a year that will also illustrate the growing conundrum among some of the world's largest enterprise IT and software companies including Microsoft, Oracle and Adobe. It's a conundrum that really begins with several key questions major tech companies should be -- or actually are -- asking themselves:

• How fast can we patch any given vulnerability?
• Are we losing the battle to patch products and systems quicker than exploits can be spawned?
• Should we roll out more pervasive patches?
• And if we need to patch more, should we increase our frequency?

And here's the biggest question of all: "Will IT administrators using our products and services have any hair or patience left as the security situation locally, nationally and globally becomes more relevant -- or worse -- more perilous?"

Microsoft, Oracle, Adobe: Triple Whammy
IT security administrators will already have a busy week with Microsoft's patch releases, but admins who also run Oracle and Adobe systems will be buried. Following a big security update from Adobe comes news that a secret meeting occurred on merger talks between Redmond and Adobe systems. Aside from the obvious product synergies, Microsoft has also had to bear the some of the brunt of Adobe's security problems.

Against that backdrop: Microsoft's patches and a jaw-dropping 81-vulnerability patch from that other business software giant, Oracle.

Indeed, "Super Tuesday" no longer applies to elections.

Survey: IT Audits Reveal 'Significant' Security Problems
A survey of about 350 IT managers and network administrators conducted in the middle of last month found 45 percent of respondents said they've had an outside organization conduct a formal security audit at least once a year.

VanDyke Software commissioned Amplitude Research to conduct The Sixth Annual Enterprise IT Security Survey. Comparatively, a survey from the same period in 2009 shows 35 percent had reported conducting such an audit at least once a year. That means audits are growing, which could be seen as a good thing.

But there's always a flip side. That flipside is that more than half, 56 percent, expressed that the audits resulted in identification of significant security problems. Still, it's better to know than live in ignorance.