Adobe to issue scheduled patches, invest more in code review
Perhaps most notable for end-users is Adobe's plan to release security fixes for Reader and Acrobat on a scheduled basis starting this summer. The move mirrors similar decisions by other leading software providers such as Microsoft and Oracle, which have moved to monthly and quarterly release cycles, respectively.
Brad Arkin, Adobe's director of software security and privacy, said the patches will be distributed four times a year, coincident with at least four of the same days that Microsoft pushes out its fixes.
"Enterprises have already optimized their process where they're ready to receive security updates on Patch Tuesday," he told SCMagazineUS.com on Wednesday. "The feedback from our customers is that it's not any additional work to add updates for Reader. We're hoping to get people in the habit of applying these udpates."
He added that more pressing patches will be distributed on an as-needed basis.
The company bore widespread criticism earlier this year after it disclosed a gaping hole in its Reader and Acrobat software on Feb. 19. Attackers already had, since late last year, been using specially crafted PDFs to exploit the flaw in targeted attacks. But the company did not issue a fix until March 11.
Some security experts, such as F-Secure Chief Research Officer Mikko Hypponen, have advised users to stop using Adobe Reader. He said the incremental rise in drive-by exploits targeting PDF flaws should persuade users to consider other alternatives. F-Secure recently said Reader and Acrobat were the most commonly targeted file type.
"The Adobe [products]...are now part of the enterprise de facto suite of products that is on every desktop and laptop," Andrew Storms, director of security operations at network security firm nCircle, told SCMagazineUS.com on Wednesday. "There's more to be gained now by finding holes in those products."
The new undertaking by Adobe also will focus on increased efforts to harden code, particularly on legacy versions, where its Secure Product Lifecycle (SPL) process has fallen short, Arkin said. Adobe engineers will perform additional security reviews, such as input validation, as well as leverage some of the latest fuzzing tools, "to throw malformed data at interfaces" in hopes of finding a vulnerability.
Adobe also plans to strengthen its incident response to provide quicker patch turnarounds and additional information, such as workarounds, through advisories and on blog posts.
Arkin said the zero-day incident called to light some areas in which Adobe could improve. (Another zero-day PDF bug followed soon after but was patched about two weeks after it was announced.)
"One of the things we've seen is the use of exploit packs so that a malware author can now use improved tooling in order to create attacks through different vectors," he said. "Through this increased tooling, we're seeing an uptick in the kinds of attacks being carried out against Reader."
Storms said Adobe had to respond with a new strategy -- or it risked losing market share to other, less targeted, PDF readers. It is a similar response Microsoft made several years ago when Redmond launched its Trustworthy Computing initiative.
"It is the Microsoft of five, six years ago, where they realized their products were valuable but also a liability at the same time," he said. "The outcome [for Microsoft] was not only that they were delivering better products but they regained the trust of their users. Once you lose the trust of your consumers, it's a difficult thing to get back."