Mulling Adobe’s Patch Tuesdays

Software’s Sublimation by Alex Goldman (bio)

Data’s diffusion throughout business and into the cloud

Adobe is re-thinking how it responds to incidents, writes code, and issues patches, a blog post by Brad Arkin, Adobe director of product security and privacy revealed.

The JBIG2 zero day flaw in its Reader and Acrobat products was a wake up call for the company, Arkin wrote.

“Everything from our security team’s communications during an incident to our security update process to the code itself has been carefully reviewed. Security is an ongoing process, so while we believe our plan will eliminate or mitigate many potential security risks, we are also working to enhance our ability to respond to externally found vulnerabilities in Adobe Reader and Acrobat in the future,” Arkin wrote.

Some experts advise turning off JavaScript in Reader and Acrobat. After all, there were security flaws involving Adobe and JavaScript in November and again in February.

When JBIG2 was revealed, experts again recommended turning off JavaScript.

Experts also criticized Adobe for failing to patch old versions of its software during its response to the JBIG2 flaw. Arkin promised “simultaneous patches for more affected versions as we move forward.”

Arkin also promised fundamental changes to the way Adobe writes code in an initiative called Secure Product Lifecycle (SPLC) that he admitted is similar to Microsoft’s Security Development Lifecycle (SDL).

He added that although the process has improved new code, Adobe needs to re-examine its old code. “The SPLC activities have been successful in mitigating threats in new code development, but did not fully address problems in the existing code base. Therefore, an initiative in the current security effort has been focused on hardening at-risk areas of the legacy code,” he said.

[Continue reading this blog post at Software’s Sublimation by Alex Goldman]

News Around the Web