Last week a journalist reached out to us and asked:
There were 273 vulnerabilities (104 Apple across OSX and iOS, 79 Adobe, 71 Microsoft and 19 Google) patched by just 4 vendors in just this 1 week. Those numbers are, frankly, incredible. The question is, should they also be of concern?
It's an interesting question. Is this good news or bad news? Our systems and their potential vulnerabilities are always a cause for concern. There's two sides of the security update story, however.
The optimist would hope that the number of updates and patches indicate that all known vulnerabilities are now patched and each vendors' software is completely up to date and locked down tight. In this case 273 fixes is better than say 200, because the optimist feels so much more safe now with more things fixed.
The pessimist sees the underside of this. The pessimist feels that 273 patches is an indication that we can't keep up with the problems in our own software infrastructure and we're all doomed. Next time it will be 300 patches and so forth until we can no longer keep up.
The truth is somewhere in between. First of all, not all "patches" address a flaw that can be exploited by hackers to infiltrate your system. Some just fix a font. Also, one patch can do 6 things or 6 patches can do six things. The actual number is a "soft" number. Is the number good or bad? Who knows?
The fact is, this will continue and it needs to, as long as software runs on your premises. The producers of software need to keep it up to date and patches are the mechanism by which they do this. The movement to the cloud will eventually make conversations like this moot, as vulnerabilities are closed in real time and weekly patches will be a thing of the past.