No Adobe patches
Either everything is fine and doesn't need any more fixing, or they haven't finished writing the patches...
October brings a relatively light patch load for admins and users, thanks to Adobe's decision to sit out this month's update bonanza. Cloudy patch bundle from Microsoft For Microsoft, the Patch Tuesday update is a manageable 59 CVE-listed bugs for Windows, Edge, Office, and Azure. Among the nine critical issues patched this …
I'm starting to wonder if the reverse is probably closer to the truth. For example, when SQL injection was first discovered, a host of sites were targetted - including the UN and Vatican Radio, IIRC - and we had clients asking why we never protected their sites against that in the first place. Simple answer was that when their site was built (back when dinosaurs ruled the earth) nobody had ever thought about that because it simply hadn't happened yet.
Older software will be using techniques that were best practice at the time, but are now considered everywhere on the scale from possibly questionable to leakier than a boat made of Swiss cheese. The problem is that finding and fixing them is often more difficult and expensive as time goes by, because you have to preserve the functionality of the original.
Perhaps we should start using the term "security rot" for older software as it begins to accumulate known and unknown vulnerabilities?
Biting the hand that feeds IT © 1998–2019