Security Initiative: Adobe Mimics Microsoft's Patch Tuesday Program
It seems that Adobe is getting tired with all the security vulnerabilities and security holes affecting its software applications and consequently has announced the fact that it is launching a program similar to Microsoft’s Patch Tuesday (patches and fixes are released every second Tuesday of the month). The move is a welcomed one, if you keep in mind that just a couple of weeks ago Adobe Acrobat 9.1.1 and Adobe Reader 9.1.1 were released in order to address a 0-day security hole affecting all currently supported shipping versions of Adobe’s products. You should also keep in mind that targeted attacks against Adobe’s products have seen a considerable increase (see the image below, provided by F-Secure).
Director of Product Security and Privacy, Brad Arkin, explains: “Starting this summer we plan to release security updates for all major supported versions and platforms of Adobe Reader and Acrobat on a quarterly basis. Based on feedback from our customers, who have processes and resources geared toward Microsoft’s “Patch Tuesday” security updates, we will make Adobe’s quarterly patches available on the same days.”
Adobe’s “Patch Tuesday” program is part of a larger security initiative that is meant to eliminate or at least mitigate some of the security risks that plague Adobe’s software; the security initiative is also meant to improve Adobe’s ability to respond to vulnerabilities in Reader and Acrobat discovered by external security researchers.
Adobe’s security initiative is focused on 3 major areas: the Patch Tuesday program, as mentioned above, code hardening and incident response process enhancement. “An initiative in the current security effort has been focused on hardening at-risk areas of the legacy code,” explained Brad Arkin. “We’ve applied the latest SPLC [Secure Product Lifecycle] techniques against these prioritized sections of each application. Even in cases where no immediate vulnerability was identified, we have been strengthening input validation on a best-practice basis. Experience shows such validation is a powerful tool in preventing as-yet unidentified security holes.”
Regarding the incident response process enhancement topic, Arkin says external security researchers can expect to see a faster incident response process on Adobe’s part, timelier incident related communications, and faster turn-around times on patch releases. When updates are released, you can also expect Adobe to release patches for multiple affected versions.
Director of Product Security and Privacy, Brad Arkin, explains: “Starting this summer we plan to release security updates for all major supported versions and platforms of Adobe Reader and Acrobat on a quarterly basis. Based on feedback from our customers, who have processes and resources geared toward Microsoft’s “Patch Tuesday” security updates, we will make Adobe’s quarterly patches available on the same days.”
Adobe’s “Patch Tuesday” program is part of a larger security initiative that is meant to eliminate or at least mitigate some of the security risks that plague Adobe’s software; the security initiative is also meant to improve Adobe’s ability to respond to vulnerabilities in Reader and Acrobat discovered by external security researchers.
Adobe’s security initiative is focused on 3 major areas: the Patch Tuesday program, as mentioned above, code hardening and incident response process enhancement. “An initiative in the current security effort has been focused on hardening at-risk areas of the legacy code,” explained Brad Arkin. “We’ve applied the latest SPLC [Secure Product Lifecycle] techniques against these prioritized sections of each application. Even in cases where no immediate vulnerability was identified, we have been strengthening input validation on a best-practice basis. Experience shows such validation is a powerful tool in preventing as-yet unidentified security holes.”
Regarding the incident response process enhancement topic, Arkin says external security researchers can expect to see a faster incident response process on Adobe’s part, timelier incident related communications, and faster turn-around times on patch releases. When updates are released, you can also expect Adobe to release patches for multiple affected versions.
