Adobe is re-thinking how it responds to incidents, writes code, and issues patches, a blog post by Brad Arkin, Adobe director of product security and privacy revealed.
The JBIG2 zero day flaw in its Reader and Acrobat products was a wake up call for the company, Arkin wrote.
“Everything from our security team’s communications during an incident to our security update process to the code itself has been carefully reviewed. Security is an ongoing process, so while we believe our plan will eliminate or mitigate many potential security risks, we are also working to enhance our ability to respond to externally found vulnerabilities in Adobe Reader and Acrobat in the future,” Arkin wrote.
Some experts advise turning off Javascript in Reader and Acrobat. After all, there were security flaws involving Adobe and Javascript in November and again in February.
When JBIG2 was revealed, experts again recommended turning off Javascript.
Experts also criticized Adobe for failing to patch old versions of its software during its response to the JBIG2 flaw. Arkin promised “simultaneous patches for more affected versions as we move forward.”
Arkin also promised fundamental changes to the way Adobe writes code in an initiative called Secure Product Lifecycle (SPLC) that he admitted is similar to Microsoft’s Security Development Lifecycle (SDL).
He added that although the process has improved new code, Adobe needs to re-examine its old code. “The SPLC activities have been successful in mitigating threats in new code development, but did not fully address problems in the existing code base. Therefore, an initiative in the current security effort has been focused on hardening at-risk areas of the legacy code,” he said.
Adobe Tuesdays
Adobe will be issuing patches with multiple fixes for its products on the same “patch Tuesday” as Microsoft. Arkin said that Adobe’s customers already have systems and resources in place to handle Microsoft’s upgrades and have asked Adobe to issue patches on the same day.
Arkin noted that the company’s most recent two releases landed on patch Tuesday, on March 10, 2009 and May 12, 2009, but claimed that was pure coincidence. “The timing was coincidental. In both cases, we shipped the patches as soon as we finished testing them,” he said.
Microsoft has been issuing patches in groups on the second Tuesday of each month, now known as patch Tuesday, since 2004, if not earlier.
Microsoft’s most recent patch Tuesday showed that Adobe is not alone among software vendors in needing to patch flaws in popular software. The latest patch fixed issues in PowerPoint that could have compromised entire enterprise networks.
Of course, while companies like Adobe and Microsoft struggle to deliver a predictable and easy to use patch process, far to many business and residential users are not patching their own software, according to a recent report . . . from Microsoft.
If you’re reading this and you’re an IT manager, of course you should patch the PCs of the office you run — and whatever your job, you might consider ensuring that any Microsoft and Adobe software you have at home is also up to date.
Adobe will issue its first patch Tuesday-style fix this summer, but a spokesperson could not tell InternetNews.com which month that would be.