Follow GFI:
Find us on Facebook Follow us on Twitter Find us on Linkedin Subscribe to our RSS Feed Find us on YouTube Find us on Google+
 

Security Patching Trends for Major Software Vendors

on March 13, 2012

An important aspect of patch management and your patching schedule is to understand the patch release cycles adopted by the most important software vendors. In this post, we take a look at some statistics on this topic and how patch release cycles have changed over the last few years.

The big players in software industry are taking security seriously. They are becoming more efficient in fixing security issues and the results are evident. Six vendors: Microsoft, Adobe, Mozilla, Apple, Oracle and Google, together released 257 security bulletins/advisories fixing 1,521 vulnerabilities in 2011. In 2010, these vendors fixed 1,458 vulnerabilities.

Basically, a typical machine that is not patched will be exposed to between 30 to 50 new security vulnerabilities each month from the last time it was patched. More statistics about vulnerabilities discovered in 2011 are available here.

Microsoft

Microsoft releases their security updates every second Tuesday of the month. The well-known release schedule for security updates helps users to plan their deployment accordingly. It is recommended that new patches are tested before they are applied in a production environment because some patches may cause issues in some cases, from preventing a service to start or crashing the system. Occasionally, when critical vulnerabilities are identified or if they were disclosed to public, Microsoft will release a fix out of the ordinary schedule.

100 security bulletins were released by Microsoft in 2011, addressing 240 vulnerabilities. These are fewer than the figure for 2010 when there were 106 security bulletins released, addressing 266 vulnerabilities. The number of critical security issues detected in Microsoft products is decreasing; however the number of security updates remains high due to non-critical security issues.

 

Adobe

Adobe adopted the Microsoft model to release their security updates on “Patch Tuesdays”. This is because customers wanted a single patch cycle for both Adobe and Microsoft so that it would be easier for them to maintain their systems fully patched. Adobe products were a preferred target for hackers and security researchers over the past few years and numerous fixed were released as a result.

A total of 29 security bulletins were released by Adobe in 2011, addressing 197 vulnerabilities. This is one less bulletin than in 2010 when there were 30 security bulletins, addressing 202 vulnerabilities.

 

Mozilla

Mozilla releases a new version of Firefox that includes the latest security fixes every six weeks. Occasionally they release updates containing security fixes out of the normal six-week cycle.

59 security bulletins were released by Mozilla in 2011, addressing 93 vulnerabilities – fewer than the 84 security bulletins released in 2010, addressing 102 vulnerabilities.

 

Apple

Apple does not pre-announce or release their security updates on a regular schedule, thus making it difficult for companies to prepare for patch deployment in their environments. Apple’s software is also based on a large number of third party components that have their own vulnerabilities. For example, an update for Mac OS X will probably include fixes for Apache, MySQL, Java, OpenSSL, PHP, Python and so on. The problem with this is that there is a period of time that passes between the instance the vulnerability is fixed in the third-party component and the time when Apple updates the component in their system.

Apple do not provide a severity rating for their bulletins, but usually they contain a large number of fixes and must be all considered critical.

The number of security bulletins released by Apple has been pretty constant over the last few years – between 30 and 40 bulletins per year. 38 security bulletins were released by Apple in 2011, addressing an impressive number of 402 vulnerabilities. The same number of bulletins was released in 2010. Two years ago the number of vulnerabilities hit 468.

 

Oracle

Oracle releases their security updates using two schedules. Java updates are released three times per year in February, June and October. All other products’ security updates are released once per quarter in January, April, July and October.

As the updates are concentrated in quarterly batches all security bulletins from Oracle include a large number of security fixes for a large number of Oracle products (except for the Java updates) and they are all rated critical.

Occasionally – one to two times a year – for some high impact vulnerabilities, Oracle does provide an out-of-band security fix.

334 vulnerabilities were fixed in the nine security bulletins provided by Oracle in 2011. This is more than the 273 vulnerabilities addressed in 2010.

 

Google

Google releases security updates for Google Chrome all the time, even three times a month. Their release cycle is fast and the product is updated on a continuous basis. This is ok for home users that leave the product to automatically update itself, but for enterprises that want to test patches before applying them in a production environment it can be overwhelming: Google Chrome gets a larger number of security fixes, and twice as often, than all Microsoft products together. The number of vulnerabilities discovered in Google Chrome is also on the increase.

22 Google Chrome updates contained security fixes for 255 vulnerabilities in 2011. This is more than the 147 vulnerabilities addressed by security fixes in 2010.

 

Sources:

Microsoft – http://technet.microsoft.com/en-us/security/bulletinarchive?y=2012&m=1

Adobe – http://www.adobe.com/support/security/index.html

Mozilla – http://www.mozilla.org/security/announce/

Oracle – http://www.oracle.com/technetwork/topics/security/alerts-086861.html?ssSourceSiteId=ocomen

Apple – http://support.apple.com/kb/HT1222

Google - http://googlechromereleases.blogspot.com/search/label/Stable%20updates

 

Like our surveys and infographics? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

About the Author:

Cristian Florian is product manager at GFI Software. Starting as a software developer, he developed his career step by step gaining more than 12 years of experience in network security and software development. He currently oversees GFI LanGuard, a successful network security scanning and patch management solution.

 
Comments
David Loeb March 14, 201212:41 am

Apple patch deployment can definitely be frustrating compared to Microsoft. Certainly it seems like Windows machines have more severe security threats than OS X stations, but having a surprise patch that you need to send out all night can be a real headache as opposed to the more frequent yet predictable patches of Microsoft that you can set your watch to.

J. Paul March 14, 20129:46 am

It would be great if all major vendors and not only they adopted a regular patch release schedule, leaving only critical releases on as necessary basis because this would make it much easier to patch. Once a week is best for me because it isn’t too frequently but soon enough. Once in three months, as the case with Oracle is is too long. I hope Google at least will join the once-a-week group but probably their priorities are different.

Michael Boris March 15, 20126:23 am

Well, this is the reason why Apple is one of the most admired tech companies in the world. I’ve been an Apple Fan Boy for quite some time now – 15 years to be exact – and I admire how their security updates work. Even my 8-year old kid knows about them.

Their security updates are right on target with not that much technical stuff for ordinary users like me. And as you can see on the graph above, for two straight years (2010 and 2011), the company has the most number of vulnerabilities fixed by their security updates. This just proves that Apple has excellent after-sale customer service.