Adobe Tightens Development Process to Improve Security

After having three known zero-day bugs hit the Web so far in 2009, Adobe Systems is starting to talk security. Since February, Adobe has been making changes to its software development process and is planning to begin issuing quarterly updates starting this summer.

From a security standpoint, Adobe Systems has taken its share of lumps so far in 2009.

In February, news that Adobe Reader and Acrobat were vulnerable to a zero-day attack became public; in April, two other bugs surfaced. All three were eventually patched, but not before proof-of-concept exploit code for each bug began to circle. In the case of the flaw publicized in February, hackers feasted on the bug for at least two months before a fix was issued-and the initial patch didn't cover every version of the programs.

Since then, Adobe said, it has been changing its development process to improve software security. The project has been focused on three main areas: hardening the code, improving the incident response process and putting together a plan for issuing quarterly updates for Reader and Acrobat.

"We have for years now been following our secure product life cycle, which defines how we integrate security into the regular way that we build software at Adobe," said Brad Arkin, Adobe's director for product security and privacy. "For most of the projects, and particularly for Reader and Acrobat, our secure product life-cycle activities have mainly been focused on the new code and the new features that we're writing, and it hasn't fully addressed the potential security problems in the legacy code and features."

The idea basically extends best practices such as threat modeling and testing throughout the entire development process.

"All of these activities are helping us to identify potential problems so that we can then resolve them before a malware author or another malicious actor might find them," Arkin added.

Arkin admitted that some vulnerabilities are inevitably going to appear, which is where the updates come in. Starting in summer 2009, Adobe will issue quarterly patches to deal with any security issues. Though the company is still hammering out the exact timeline, the general plan is for the releases to coincide with Microsoft's Patch Tuesday.

"What we heard from our customers is that offering the updates on the same day will help align with the way our customers today are applying patches," Arkin said.

Statistics from Qualys released in April showed that many Acrobat and Reader users were behind in their patches, even as news of a zero-day continued to circulate. Perhaps it is unsurprising then that hackers often use exploits targeting Reader and Adobe Flash as a way in.

"This is something that we're talking publicly about now even though we've been working on it since February, and in the months to come we're going to continue talking about further details and new ideas that we have for how we can better improve the security for Reader and Acrobat and make the product even more safe to use for our customers," Arkin said.