To Spread or Not to Spread, That Is the Question
February 13, 2020 • RBS
The Vulnerability Fujiwhara Effect
We recently wrote two posts about the Fujuwhara storm of vendor disclosures, when the schedules of Microsoft, Oracle and a number of other vendors all collided. This became a very busy day for IT teams, and it is happening again in April and July 2020.
A (Disclosure) Sea of Troubles
Even before the recent Microsoft and Oracle disclosure collision, it has long been the norm for vendors to piggy-back on Patch Tuesday (originally known as Microsoft Tuesday). Back in October 2003, Microsoft formalized their release schedule to be on the 2nd Tuesday of each month. In 2012, Adobe changed their release schedule to coincide with Microsoft’s release dates. Since then, various vendors including SAP, Siemens, Schneider Electric, Intel, and Lenovo have jumped on the bandwagon.
Over the years we’ve had discussions about this with some of these vendors. Their main argument is that customers requested this, and that it is in their customers’ best interest that many major vendors release on the same day. This allows customers to plan ahead and address everything at once.
Is it really in your best interest, though? Are customers requesting this? And perhaps, most importantly, is it even possible to address so many patches all at once?
“There is an advantage in having vendors disclose at known intervals, but it is becoming a significant problem that so many vendors piggy-back on the same day. When major vendor disclosures are scheduled in a way that doesn’t prevent them from clashing, it becomes even worse for customers who would prefer to focus on select vendor disclosures like Microsoft and Adobe.”Carsten Eiram, Chief Research Officer, Risk Based Security
Organizations without a highly mature vulnerability management program, which includes a vulnerability intelligence solution, have no efficient way to deal with this short of just starting from one end and working their way through. This could easily take weeks and may result in critical vulnerabilities not being addressed in a timely manner. In the meantime, other critical vulnerabilities coming in after Patch Tuesday may be outright missed or end up in the backlog for an undefined amount of time.
Most of our customers we’ve discussed this with have expressed unhappiness regarding the decision of so many vendors to cram Patch Tuesday with their releases. Instead, they’d prefer to focus only on the Microsoft and Adobe disclosures. Though they do appreciate the predictability of knowing when to expect vendor disclosures, the consensus is that vendor disclosures should be properly spread out.
Those Who Would Bear the
Whips Disclosures and Scorns of Time
We’re very curious about your views. We’ve created a poll that asks: “Do you prefer that the disclosures all happen on the same day versus being spread out?” The poll is available on Facebook and Twitter, and we would greatly appreciate your input.
If you’re not yet our customer, and would value access to a vulnerability intelligence solution that is superior to the basic vulnerability management products out there, please don’t hesitate to contact us for a demo and trial account.