Almost a year after changing its development process and a week away from a Jan. 12 patch for yet another zero-day vulnerability, Adobe Systems remains a popular target for attackers. But the company is not taking it sitting down.
Adobe Systems took its share of security hits in 2009. It
changed its update schedule and took steps to improve application development,
but still ended the year with a prediction
that the number of attacks against Adobe products would surpass
those against Microsoft Office.
Officials at Adobe know this; in fact, they anticipate
will move on their products with increased intensity in 2010.
For that reason, the company is rolling out an automatic update mechanism and continuing
to work on tightening security.
"With our October 2009 security update for Adobe Reader
and Acrobat, we shipped a beta version of a new updater that will keep end
users up-to-date in a much more streamlined and automated way, making it easier
to get users to upgrade to the latest, most secure version of the product,"
said Brad Arkin, director of product security and privacy at Adobe. "The
first trial of the new updater for beta pilot users will be the Jan. 12
quarterly security update. Our goal is to quickly exit the beta phase and use
the new updater as the default for all Adobe Reader and Acrobat users. Using an
'opt out' model, the new Adobe Reader and Acrobat updater will be configured to
download and install updates in the background without requiring user
Customers also have the option of changing the
configuration, which may be appropriate for enterprise users following
specific to their particular organization, Arkin added.
you find the vulnerabilities in this code? Click here for more.
In February 2009, Adobe began changing its development process by including
analysis of legacy code in updated applications such as new versions of Adobe
Reader. As part of its new security process, Adobe also introduced the ASSET (Adobe
Secure Software Engineering Team) Certification Program for its engineering and
product teams to raise awareness and implement best practices during the design
In addition to those changes, the company also altered its
patch release schedule to align with Microsoft's monthly Patch Tuesday updates.
The Jan. 12 update will fix a zero-day vulnerability in Adobe Reader and
Acrobat that came under attack in December 2009.
"One of the main attack vectors we have observed for
last quarterly update for Adobe Reader and Acrobat introduced security
an improved 'gold bar' user interface (an improvement from the previous pop-up
which could have significant impact on both user experience and productivity."
In the end, Arkin said, the prevalence of products such as
Adobe Reader and Adobe Flash keeps them on the menu for attackers.
"Of course, security is a process and not a task that
is ever finished," he said. "We continuously monitor the threat
landscape and the latest developments in the security community, and ... our
security processes [evolves] accordingly as part of our ongoing security
efforts to help ensure the security of our customers."