Adobe Systems promised it was making changes to its security process, and June 9 it made good.
The company issued the first of what will now be quarterly security updates for Adobe Acrobat and Reader, this time plugging 13 “critical” vulnerabilities in Windows and Macintosh versions of the programs.
Among the 13 bugs are a number of heap overflow vulnerabilities and a memory corruption bug in the JBIG2 filter that could lead to code execution. Also resolved are a stack overflow vulnerability (CVE-2009-1855) and multiple heap overflow vulnerabilities (CVE-2009-1861) that could also lead to code execution.
Adobe officials said they would align updates with Microsoft’s Patch Tuesday, which June 9 brought patches for 31 security vulnerabilities. The move is part of an effort to tighten security at Adobe that began after the company took criticism earlier in 2009 for its handling of a zero-day bug.
In February, Adobe began reviewing legacy code as well as new code as part of its secure code development process. However, the security issues continued-two other bugs were subsequently found and patched, increasing criticism of the company. In May, the company announced a three-pronged strategy to improve security: enhanced incident response, quarterly patches and the aforementioned changes to the development process.
“I believe that the Adobe program of providing a predictable patch cycle will be helpful to the IT admin community,” said Qualys CTO Wolfgang Kandek. “It will raise the visibility of the Adobe patches both on the IT admin and IT management side and will increase the attention paid to these vulnerabilities.”