By John Leyden
6th March 2008
Cisco has taken a leaf out of Microsoft's book by adopting a regular
patch release cycle. However, the change will apply only to security
bugs involving its core IOS software and not all its products.
Starting on 26 March, Cisco will release bundles of IOS security
advisories on the fourth Wednesday of March and September in each
The networking giant gave itself room for manoeuvre by reserving the
right to publish out of sequence patches in cases where serious security
vulnerabilities are publically disclosed or for bugs which become the
target of active exploitation.
Cisco will continue to issue security advisories for products other than
IOS, its network operating system that features on a wide range of Cisco
switches and routers, as and when needed. For example, future security
updates to VoIP kit will be published without reference to any regular
patch release schedule, according to Cisco's pre-existing standard
disclosure policy .
As with Microsoft and Oracle before it, Cisco explained the change is
the result of customer requests for greater predictability over the
timing of patch releases. Its patch cycle is less frequent than Oracle's
quarterly release schedule and Microsoft's infamous Patch Tuesday
updates, partly because network security updates are often trickier to
test and roll out than application or operating system patches.
The format of Cisco's advisory will remain unchanged, as explained here .
Subscribe to InfoSec News