An important aspect of patch management and your patching schedule is to understand the patch release cycles adopted by the most important software vendors. In this post, we take a look at some statistics on this topic and how patch release cycles have changed over the last few years.
The big players in software industry are taking security seriously. They are becoming more efficient in fixing security issues and the results are evident. Six vendors: Microsoft, Adobe, Mozilla, Apple, Oracle and Google, together released 257 security bulletins/advisories fixing 1,521 vulnerabilities in 2011. In 2010, these vendors fixed 1,458 vulnerabilities.
Basically, a typical machine that is not patched will be exposed to between 30 to 50 new security vulnerabilities each month from the last time it was patched. More statistics about vulnerabilities discovered in 2011 are available here.
Microsoft releases their security updates every second Tuesday of the month. The well-known release schedule for security updates helps users to plan their deployment accordingly. It is recommended that new patches are tested before they are applied in a production environment because some patches may cause issues in some cases, from preventing a service to start or crashing the system. Occasionally, when critical vulnerabilities are identified or if they were disclosed to public, Microsoft will release a fix out of the ordinary schedule.
100 security bulletins were released by Microsoft in 2011, addressing 240 vulnerabilities. These are fewer than the figure for 2010 when there were 106 security bulletins released, addressing 266 vulnerabilities. The number of critical security issues detected in Microsoft products is decreasing; however the number of security updates remains high due to non-critical security issues.
Adobe adopted the Microsoft model to release their security updates on “Patch Tuesdays”. This is because customers wanted a single patch cycle for both Adobe and Microsoft so that it would be easier for them to maintain their systems fully patched. Adobe products were a preferred target for hackers and security researchers over the past few years and numerous fixed were released as a result.
A total of 29 security bulletins were released by Adobe in 2011, addressing 197 vulnerabilities. This is one less bulletin than in 2010 when there were 30 security bulletins, addressing 202 vulnerabilities.
Mozilla releases a new version of Firefox that includes the latest security fixes every six weeks. Occasionally they release updates containing security fixes out of the normal six-week cycle.
59 security bulletins were released by Mozilla in 2011, addressing 93 vulnerabilities – fewer than the 84 security bulletins released in 2010, addressing 102 vulnerabilities.
Apple does not pre-announce or release their security updates on a regular schedule, thus making it difficult for companies to prepare for patch deployment in their environments. Apple’s software is also based on a large number of third party components that have their own vulnerabilities. For example, an update for Mac OS X will probably include fixes for Apache, MySQL, Java, OpenSSL, PHP, Python and so on. The problem with this is that there is a period of time that passes between the instance the vulnerability is fixed in the third-party component and the time when Apple updates the component in their system.
Apple do not provide a severity rating for their bulletins, but usually they contain a large number of fixes and must be all considered critical.
The number of security bulletins released by Apple has been pretty constant over the last few years – between 30 and 40 bulletins per year. 38 security bulletins were released by Apple in 2011, addressing an impressive number of 402 vulnerabilities. The same number of bulletins was released in 2010. Two years ago the number of vulnerabilities hit 468.
Oracle releases their security updates using two schedules. Java updates are released three times per year in February, June and October. All other products’ security updates are released once per quarter in January, April, July and October.
As the updates are concentrated in quarterly batches all security bulletins from Oracle include a large number of security fixes for a large number of Oracle products (except for the Java updates) and they are all rated critical.
Occasionally – one to two times a year – for some high impact vulnerabilities, Oracle does provide an out-of-band security fix.
334 vulnerabilities were fixed in the nine security bulletins provided by Oracle in 2011. This is more than the 273 vulnerabilities addressed in 2010.
Google releases security updates for Google Chrome all the time, even three times a month. Their release cycle is fast and the product is updated on a continuous basis. This is ok for home users that leave the product to automatically update itself, but for enterprises that want to test patches before applying them in a production environment it can be overwhelming: Google Chrome gets a larger number of security fixes, and twice as often, than all Microsoft products together. The number of vulnerabilities discovered in Google Chrome is also on the increase.
22 Google Chrome updates contained security fixes for 255 vulnerabilities in 2011. This is more than the 147 vulnerabilities addressed by security fixes in 2010.