14 DAY TRIAL // In light of the avalanche of critical 0-day vulnerabilities identified in its Adobe Reader and Acrobat products for the past year, Adobe wants to strengthen its security by reviewing critical areas of the older code base. A quarterly security update cycle will also be introduced starting this summer.
"Since February, Adobe Reader and Acrobat engineers have been executing a major project focused on software security. Everything from our security team’s communications during an incident to our security update process to the code itself has been carefully reviewed," Brad Arkin, Adobe's director of product security and privacy, announces.
In an effort to fight off the constant stream of security flaws found in the aforementioned programs, which cast a dent in the company's image, Adobe will make significant changes to the way it handles security.
For one, members of Adobe's Secure Software Engineering Team (ASSET), along with the Adobe Reader and Acrobat developers, are working on identifying high-risk portions of the older code, which did not make the subject of the Secure Product Lifecycle (SPLC) introduced back in 2005.
"We’ve applied the latest SPLC techniques against these prioritized sections of each application. Even in cases where no immediate vulnerability was identified, we have been strengthening input validation on a best-practice basis," Arkin explains.
Another aspect where the company has failed to impress the security community, to say the least, is its response for 0-day security incidents. Back in February, a vulnerability affecting all versions of Adobe Reader and Acrobat, which was actively being exploited in the wild, went unfixed for three weeks. This gave attackers more than enough time to infect a considerable number of unsuspecting users through malformed PDF files.
In this respect, the company expects to respond and release patches in a more timely manner, as well as to provide more information regarding possible mitigation solutions, when possible. Improvements were already reflected by its handling of two recent critical vulnerabilities, which involved issuing updates for 17 different versions of Adobe Reader and Acrobat, something which the company succeeded in doing within a two-week time frame.
Furthermore, the update cycle for the two products will occur quarterly and will be aligned with Microsoft's "Patch Tuesday," in order to make deployment easier for administrators already prepared for this day. This does not mean, however, that the company will not break out of this cycle to release critical and urgent patches, if the situation warrants it.
This is good news for users everywhere, as Adobe Reader is installed on a vast number of computers worldwide, mainly due to the popularity of the .PDF document format. However, so is Adobe's Flash Player, about which this announcement says nothing, even though it too has seen a lot of critical vulnerabilities lately and is constantly being used as an attack vector by cybercrooks.