Cisco has taken a leaf out of Microsoft's book by adopting a regular patch release cycle. However, the change will apply only to security bugs involving its core IOS software and not all its products.

Starting on 26 March, Cisco will release bundles of IOS security advisories on the fourth Wednesday of March and September in each calendar year.

The networking giant gave itself room for manoeuvre by reserving the right to publish out of sequence patches in cases where serious security vulnerabilities are publically disclosed or for bugs which become the target of active exploitation.

Cisco will continue to issue security advisories for products other than IOS, its network operating system that features on a wide range of Cisco switches and routers, as and when needed. For example, future security updates to VoIP kit will be published without reference to any regular patch release schedule, according to Cisco's pre-existing standard disclosure policy (http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html).

As with Microsoft and Oracle before it, Cisco explained the change is the result of customer requests for greater predictability over the timing of patch releases. Its patch cycle is less frequent than Oracle's quarterly release schedule and Microsoft's infamous Patch Tuesday updates, partly because network security updates are often trickier to test and roll out than application or operating system patches.

The format of Cisco's advisory will remain unchanged, as explained here (http://www.cisco.com/en/US/products/products_security_advisories_listing.html). ®

Related stories

Disaster recovery bug hangs up Cisco comms kit (7 April 2008)
http://www.channelregister.co.uk/2008/04/07/cisco_disaster_recovery_bug/
MS keeps admins busy with critical Vista patches (4 April 2008)
http://www.channelregister.co.uk/2008/04/04/ms_qt_opera_patch_summary/
Cisco unleashes IOS patches (27 March 2008)
http://www.channelregister.co.uk/2008/03/27/cisco_patches/
Cisco-baiting security co goes titsup (20 March 2008)
http://www.channelregister.co.uk/2008/03/20/lockdown_shutdown/
Critical Outlook and Excel bugs star in March Patch Tuesday (12 March 2008)
http://www.channelregister.co.uk/2008/03/12/march_patch_tuesday/
Exploit Wednesday follows Patch Tuesday Word update (11 October 2007)
http://www.channelregister.co.uk/2007/10/11/exploit_wednesday/
MS releases emergency cursor bug fix (4 April 2007)
http://www.channelregister.co.uk/2007/04/04/ms_cursor_bug_patch/
IE 'unsafe' for 284 days last year (5 January 2007)
http://www.channelregister.co.uk/2007/01/05/ie_unsafe/
Patch Tuesday - and other days of the week (11 October 2006)
http://www.channelregister.co.uk/2006/10/11/days_of_the_week/
MS mulls emergency IE fix (26 September 2006)
http://www.channelregister.co.uk/2006/09/26/ms_ie_fix_plan/
Unofficial zero-day patches gain corporate support (4 April 2006)
http://www.channelregister.co.uk/2006/04/04/0-day_patch_survey/
Oracle in war of words with security researcher (26 January 2006)
http://www.channelregister.co.uk/2006/01/26/security_researcher_versus_oracle/
Adobe adopts monthly patch cycle (15 December 2005)
http://www.channelregister.co.uk/2005/12/15/adobe_monthly_patch_plan/
Patchy response to reducing security exposure (21 November 2005)
http://www.channelregister.co.uk/2005/11/21/vulnerability_research_qualys/
Oracle taken to task for time to fix vulnerabilities (20 July 2005)
http://www.channelregister.co.uk/2005/07/20/oracle_vuln_fix/
Oracle moves to quarterly patch cycle (19 November 2004)
http://www.theregister.co.uk/2004/11/19/oracle_quarterly_patch/