GFI Software has warned that July is a critical month for software patching and vulnerability updates, with not only a major update issued on Microsoft’s Patch Tuesday, but also several major patch payloads in circulation from other software vendors including Oracle, Adobe, Google, Apple and Mozilla.
Oracle is expected to issue a major patch roll-up later this month, encompassing patches for a range of updates for its enterprise applications, as well as on-going updates expected for Oracle-owned technology Java.
“In the last month, our patch tracking data has shown that third-party applications – those not from Microsoft and not included in the Windows Update service – account for a substantial volume of critical updates,” said Sergio Galindo, global product manager at GFI Software. “Over the period, we’ve seen multiple updates to both Mozilla’s Firefox browser and Thunderbird email client. Google’s Chrome browser has also had three patches issued while Skype, Java and Apple’s QuickTime have all had at least one major patch issued to address vulnerabilities or system performance issues. This is just a small subset of the applications used in workplaces on a daily basis that have had patches issued in the last month or are due to be patched in the coming days.”
The disparate nature of third-party applications means that IT admins and end users face an on-going challenge to find, test and deploy all the updates needed to keep clients and servers up-to-date. Some companies, such as Adobe, have a unified updater for all their products, but this still means that multiple vendor sources have to be tracked on a regular basis.
“Our data underlines an important point: there is far more to patch management than just letting Windows Update do its work,” Galindo added. “Microsoft applications form a relatively small part of most organisations’ software set. It is the third-party patches from application providers other than Microsoft that provide both the biggest challenge as well as the bulk of the patching workload. These patches don’t benefit from a unified built-in patching update service, so unless an organisation takes steps to deploy all-encompassing patch management systems that push vetted patches for both the OS and all major apps out to devices, they face having to undertake extensive work and manual intervention to keep most of the applications in use up-to-date.”
The Oracle patch update is expected to be released on 19 July.