Security Watch

Adobe Patch Irks Windows Users

Plus: Microsoft's "Morro"; U.S. Senator ticked at cyber coordinator role.

Microsoft and Adobe Systems both had huge patch roll outs last week. For its part, Adobe recently decided it would be wise to latch on to Microsoft's Patch Tuesday event given that many Windows users also use Adobe Acrobat's .PDF files and other applications. Last Tuesday was Adobe's first scheduled security update under its new quarterly release cycle, and thirteen CVEs vulnerabilities were patched along with several issues Adobe discovered.

But apparently for some Windows users the process in the past hasn't been all that seamless. Microsoft has interoperability mechanisms that allow third-party software updates to be pushed via enterprise patch management tools, namely Systems Center Operations Manger and Configuration Manager. Adobe had been making use of these configuration tools to push out its own updates on the backs of Windows .msp files -- files for updating the OS that includes with security updates or Microsoft hotfixes -- for easy patching.

According to certain user forums, such as the link listed above, there is something on Microsoft's end that causes some third-party patch inventory to crash when a user attempts to parse and add them.

Microsoft has stated it will take months to release a fix and continued this assertion when reached for comment.

Security experts who commented but requested anonymity contend that Redmond may be increasing the risk to enterprise customers by taking so long to fix a pivotal segue tool, creating the opportunity for such a problem scenario to recur.

Microsoft Ramps Up "Morro"
Microsoft called it a breakthrough in security software. Symantec called it a capitulation and an admission that OneCare flopped and proof-positive that stand-alone security products are "not in Microsoft's DNA."

Despite the vicious salvos from defensive competitors, Redmond said this week it is moving forward with increased testing of its free antivirus software program, but still didn't give a definitive date for a public rollout. The original announcement pegged the release for "late 2009."

Critics, especially those coming from competitors, see this as a makeover for the much ballyhooed Windows Live OneCare, rather than a fresh, new product launch.

Back in November when the initiative was announced, security pros told me that it was essentially OneCare reframed.

Time will tell what the new AV initiative does to the marketplace, because it's free. Also, it remains to be seen how enterprise users will react to it.

U.S. Senator Ticked at Role of Cyber Coordinator
Microsoft's head of cyber security Scott Charney is said to be a leading candidate for President Barack Obama's new cybersecurity coordinator position. But the word around the blogosphere is that he likely won't leave and then deal with the jockeying for position among private- and public-sector stakeholders -- to say nothing of, well, those pesky threats to cybersecurity domestically and globally.

Indeed, the challenges for whoever takes the helm as President Barack Obama's new cyber coordinator will be complex, because of the unseen enemies that are hackers, the vastness of the Internet and the automation of malware. But before any of those issues are tackled, there are notable political considerations based on what emerged this week.

Sen. Joseph Lieberman, who is acting chair of the Senate Committee on Homeland Security and Governmental Affairs, said he fears that a new "cybersecurity czar" will "undercut the role of the Department of Homeland Security."

The White House responded in a statement saying there will be "no realignment of roles and mission for the [DHS]," and the department's operational role will not be undercut."

It's likely that this debate about the role and scope of the position will continue on Capitol Hill as well as in the confines of the private sector. Meanwhile, notwithstanding resistance around lawmakers and turf-protecting bureaucrats, there will still be the nagging questions of IT security to be addressed once the candidate is hired and shows up on his or her first day on the job.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

comments powered by Disqus

Subscribe on YouTube