After having three known zero-day bugs hit the Web so far in 2009, Adobe Systems is starting to talk security. Since February, Adobe has been making changes to its software development process and is planning to begin issuing quarterly updates starting this summer.
From a security standpoint,
Adobe
Systems has taken its share of lumps so far in 2009.
In
February, news that
Adobe
Reader and Acrobat were vulnerable to a zero-day attack became public; in
April, two other bugs surfaced. All three were eventually patched,
but not before proof-of-concept exploit code for each bug began to
circle. In the case of the flaw publicized in February, hackers feasted on
the bug for at least two months before a fix was issued-and the
initial patch didn't cover every version of the programs.
Since
then, Adobe said, it has been changing its
development
process to improve software security. The project has been focused on three
main areas: hardening the code, improving the incident response process and
putting together a plan for issuing quarterly updates for Reader and Acrobat.
"We
have for years now been following our secure product life cycle, which defines
how we integrate security into the regular way that we build software at
Adobe," said
Brad Arkin, Adobe's
director for product security and privacy. "For most of the projects,
and particularly for Reader and Acrobat, our secure product life-cycle
activities have mainly been focused on the new code and the new features that
we're writing, and it hasn't fully addressed the potential security problems in
the legacy code and features."
The
idea basically extends best practices such as threat modeling and testing
throughout the entire development process.
"All
of these activities are helping us to identify potential problems so that we
can then resolve them before a malware author or another malicious actor might
find them," Arkin added.
Arkin
admitted that some vulnerabilities are inevitably going to appear, which is
where the updates come in. Starting in summer 2009, Adobe will issue quarterly
patches to deal with any security issues. Though the company is still hammering
out the exact timeline, the general plan is for the releases to coincide with
Microsoft's Patch Tuesday.
"What
we heard from our customers is that offering the updates on the same day will
help align with the way our customers today are applying patches," Arkin
said.
Statistics
from Qualys released in April showed that many Acrobat and Reader users
were behind in their patches, even as news of a zero-day continued to circulate.
Perhaps it is unsurprising then that hackers often use exploits targeting Reader
and Adobe Flash as a way in.
"This
is something that we're talking publicly about now even though we've been
working on it since February, and in the months to come we're going to continue
talking about further details and new ideas that we have for how we can better
improve the security for Reader and Acrobat and make the product even more safe
to use for our customers," Arkin said.
Email
Print
