14 DAY TRIAL // Adobe plans to launch a new update mechanism for its Reader and Acrobat products next week, capable of automatic deployment of security patches. The technology has been undergoing beta testing since last October.
Adobe Reader is the de facto PDF viewer for most of computer users today. However, the program's ubiquity has attracted the attention of hackers who would seize any opportunity to exploit its huge user base.
The number of remotely exploitable Adobe Reader vulnerabilities, which allow arbitrary code execution, has exploded in recent years. In consequence, Adobe has faced a lot of criticism from the information security community for an apparent failure to produce secure code.
To counter the flurry of attacks and zero-day flaws, in May last year, the company launched an effort to improve its incident response. This involved introducing a uniform quarterly update cycle aligned with Microsoft's Patch Tuesday, which mainly simplified the patch deployment process in corporate environments.
However, end-users remained largely unaffected by these changes and continued to display an overall failure to install critical security updates. Because of this, security researchers estimated that, this year, Adobe would surpass Microsoft in terms of exploits targeting its products.
But the San Jose-based software giant doesn't show signs of giving up and next Tuesday will introduce a new update system, which it believes will positively affect its ability to deliver patches to users. The new technology has been tested by a select group of users since October 2009, helping them receive the January and February updates.
The updater's preferences are similar to the ones offered by the Automatic Updates in Windows. It can be set to automatically install updates (Windows version only) or to download them, but ask the user for installation permission (enabled by default). Users can also choose to disable any type of automation and handle the updating process manually.
"Honoring the user's choice is important to Adobe. This includes the user's update preferences. Adobe has no plans to activate the automatic update option by default without prior user consent," commented Steve Gottwals, group product manager at Adobe. Nevertheless, he stressed that "The majority of attacks we are seeing are exploiting software installations that are not up-to-date with the latest security fixes. We therefore believe that the automatic update option is the best choice for most end-users."
