Crazy Patch Tuesday (And Not Because Of Microsoft, Either)

As Microsoft's Patch Tuesdays go, this one struck me as a fairly straightforward day. Yet, what was up with Symantec and Adobe? Patch Tuesdays aren't a good day to make the jobs of IT security and operation teams any more difficult than they already are.
As Microsoft's Patch Tuesdays go, this one struck me as a fairly straightforward day. Yet, what was up with Symantec and Adobe? Patch Tuesdays aren't a good day to make the jobs of IT security and operation teams any more difficult than they already are.When Microsoft initiated "Patch Tuesdays" a number of years ago, the point was to help IT teams better-align their resources to assess the systems that need to be patched, test those patches, deploy them, and finally make sure that those patches have been properly applied. It's a lot of work, and companies need to be able to assess and mitigate their risks as fast as possible.

That's why they don't need nonsensical, completely avoidable gaffes that make their workdays hell. But that's what they got from Symantec and Adobe yesterday.

Around end of day Pacific Time on Monday, Symantec released what it called a diagnostic patch "PIFTS.exe" for Norton Internet Security and Norton Antivirus 2006 & 2007. Here is what Symantec said about the incident on its blog:

This patch was released for approximately 3 hours (4:30 - 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec "unsigned," which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution. Norton users are fully protected and do not need to take any action as a result of this issue.

PIFTS.exe determines what Symantec products, and their version level, are installed on the system, and send that information back to Symantec. The data is used to let users know when new product versions are available.

It doesn't cause any direct security risks, for sure. But it certainly caused a lot of distraction as corporate users would certainly, upon returning to work Tuesday, or even end of day Monday for those on the West Coast, start contacting their help desk and security managers asking what the heck was going on.

That's certainly not the distraction companies need on Patch Tuesday. Maybe next time Symantec could wait to do this after Patch Tuesday -- or at least not on the eve of Patch Tuesday? Is a little consideration for business users too much to ask?

And shipping unsigned software is really not an excusable mistake for a software security company to make.

Then there was Adobe. Initially, Adobe said it would patch a zero-day vulnerability on March 11. Fine, security teams could budget some time to deploy this patch while they're patching Microsoft's patches from Tuesday.

That was the plan, until Adobe decided -- without warning -- that it wasn't. Adobe shows up early. After weeks of patch and vulnerability game playing, this software company releases the patch a day early. But not just any day. No. They do this on Patch Tuesday.

When I first thought about Adobe's action, I thought maybe I was being too tough. It's good to have a patch out, and sooner, rather than later. Except for when you already told the world you'd be releasing the patch on Wednesday, and the day early happens to be Patch Tuesday.

I entered an e-mail exchange with Andrew Storms, director of security operations for nCircle, on the Adobe's action, and here's part of what he had to say:

As if IT security teams didn't have enough to worry about today, Adobe released a patch for their high-profile zero day vulnerability in Adobe Reader and Acrobat.

Why would they decide to release today? The obvious thought is they wanted to deliver the patch once it was ready and any ramifications to release it on the same day as Microsoft was probably tossed aside as a minor problem.

It's actually too bad, since the timing will just further the confusion already with Adobe. Remember that it chose to release a patch for Flash that wasn't even being publicly exploited? That event, along with the delay in Adobe's public information dissemination, has caused it much angst in the last month.

I agree with Andrew. And I'll add that, in my discussions with other IT security managers, more people also are fed up with the lack of consideration software companies are showing about the ramifications their patch and update release cycles have on operations. It's one thing if you are a consumer, and you have one to half a dozen PCs to patch. It's quite another if you are a business with 500, 5,000, or more.

It's time more software companies take this into account in their decisions as to when they publish updates.