Can We Wait Six Months for Another Cisco Security Patch?
Cisco Systems, the market leader in core networking gear, unleashed a torrent of security patches today to correct a dozen vulnerabilities in its ISO operating system and Unified Communications Manager. If left unpatched, these vulnerabilities could result in a “breach of confidentiality” or denial of service, Cisco said in its patch release notice. The vulnerabilities range from an access control list bypass vulnerability to an authentication proxy vulnerability to an Internet key vulnerability. In total, Cisco published 11 new security advisories for IOS and UCM in the first patch release in nearly six months. Like other major IT vendors, Cisco publishes patches and updates on a routine predictable basis. Microsoft, for instance, releases its patches on the second Tuesday of each month. Oracle typically releases its patches in the first week of each month. And Adobe recently announced that it would start issuing patches on a monthly routine. Cisco, however, releases patches on a biannual basis - every six months. The next Cisco security patch release is scheduled for March 24, 2010. Given the frequency of network and data breaches, can Cisco users go for six months without a security patch? Are Cisco vulnerabilities forcing solution providers to come up with workarounds to protect systems until patches are release? Or is attacks against switches and routers so infrequent now that leaving a vulnerability unpatched for extended periods is a nominal risk? |
Comments (1)
Wow, to me, security fixes should be made available as rapidly as possible, period! This sounds like an opportunity for some competition to come in and eat CISCO's lunch! I would make an issue out the lack of attention paid to critical security issues. That said, I am not sure what the issues are and the nature of their criticality, but anything that could be a denial of service (DoS) attack, some kind of messaging storm, or any other kind of intrusion, especially at the router level, ought to be taken EXTREMELY seriously! I cannot imagine it being otherwise.
Not being intimately familiar with CISCO routers, the nature of the defects or their severity, perhaps this just is inviting controversy over nothing - but then again, it may not BE nothing, it may be significant. If I were CISCO, I'd be looking to fix defects as soon as a remedy is available. If I were a CISCO customer, I would demand that, and be looking for other more responsive alternatives.
Posted by Brian Masinick | September 28, 2009 5:07 PM