Adobe, which has been under fire for the security of its flagship products, Flash and Reader, for some time now, may be on the verge of changing its patching process to push fixes out on a monthly schedule, which would coincide with Microsoft’s monthly Patch Tuesday releases.
The change would be the second major adjustment to Adobe’s patching process in the last year or so. In 2009 the company moved to a scheduled quarterly patch release process in an effort to give its customers a better chance to plan for testing and deployment. That change was generally well-received and Adobe has been releasing its patches on the same day as Microsoft’s Patch Tuesday each quarter.
Now Adobe may change the schedule again in order to get patches out more quickly. The company is considering releasing its security fixes for Reader on a monthly schedule, the same day as Microsoft releases its patches, according to a report by The H Security. The report says Brad Arkin, Adobe’s director of product security and privacy, is considering the monthly cycle as one option for getting Reader fixes out more quickly.
“In view of the large number of security vulnerabilities discovered in
recent months, major customers appear to have increased the pressure on
Adobe to reduce the interval between security patch releases. Arkin has
told The H’s associates at heise Security that a monthly cycle is one of
the alternatives currently under discussion,” the report says.
An Adobe spokeswoman said that the company is carefully evaluating this possibility, along with other options.
Arkin gradually has been making a number of major changes to the way that Adobe handles security over the last year or so, not just on the patching front. In addition to moving Reader to a quarterly patch cycle last year, Adobe also released an automatic update mechanism, similar to Microsoft’s Windows Update, that enables users to automatically download and install Reader patches.
Adobe also has ramped up its internal software security program in the last couple of years, instituting a formalized training process for developers and participating in the BSIMM process for measuring the maturity of its security program.
However, these changes have done little to blunt the criticism of Adobe by security researchers and customers. The company’s installed base is by some measures the largest of any software maker, putting it in much the same position that Microsoft has been in for the last 10 years or so: an easy target.
“When you’re looking at it from the attacker’s perspective, the install
base is – is a big attractive metric to look at. And with Adobe Reader
and Flash Player, these are two applications that are installed on a lot
more machines than Windows is, for instance. And so, that’s something
that paints a bigger bull’s eye. And so, that’s something that’s not
gonna change. You know, we’ve got this ubiquitous software, and the
responsibility is on us in order to do the things that we can do in
order to help protect our users,” Arkin said in a Threatpost podcast on
Adobe’s security processes.