First it was Microsoft, then Oracle, then Cisco, and now Adobe.
The San Jose, Calif. maker of the ubiquitous Acrobat and Reader software is the latest software vendor to announce a strategy for dealing with vulnerabilities. Adobe announced this week that it plans to release quarterly fixes, joining a number of other high-profile players who decided to make their security patches available on a scheduled basis, to make life easier for everyone.
In addition, Adobe said it will begin placing increased efforts on hardening its code (to prevent vulnerabilities wherever possible) and distributing pertinent information to security professionals (if a flaw can’t be avoided).
This undertaking by Adobe was critical, considering the company was getting some serious bad press within the blogosphere after it took a while to patch a critical zero-day early this year. Some experts — and rightfully so — asked why organizations have decided to make Reader their de facto standard, when other, seemingly more secure (or at least less targeted) PDF viewers exist.
Adobe recognized the possibility of losing market share over this – and responded.
While we’re on the subject of major software makers, when is Apple going to get its act together? My own issues aside — Apple is notoriously poor at responding to press calls — the Cupertino computing giant must start being more transparent with its security efforts.
As it stands now, Apple gives little information about issues affecting its Mac OS X platform, and users typically are caught off guard when patches are released. This has incensed a number of very smart security researchers. It even prompted one, Landon Fuller, to this week publish an, albeit benign, proof-of-concept for a Sun Java bug that was fixed months earlier but still was present in the Mac OS X ships. Fuller, a former Apple engineer himself, said the only way to get Apple to act is by demonstrating a flaw’s severity.
Apple, we know your box is not nearly as targeted as Windows. Maybe it’s because of more secure code. Maybe it’s because you have a lesser market share. Heck, maybe it’s because a lot of hackers like the iPhone and feel bad trying to intrude on your IP.
But, even so, even if one person in the world uses your platform, it’s your duty to be as responsive about security issues as you possibly can be.
And right now, you’re failing at it. (And not returning my phone calls to boot).