Adobe contemplates security

Crackerjack surprise creative commons photo courtesy of HermanTurnip

Update: I received a response from @bradarkin Adobe’s Director of Product Security and Privacy with corrections to my post. I was unaware of some details and fortunately Brad set me straight. Updates will be noted in-line.

Crackerjack surprise creative commons photo courtesy of HermanTurnip

If I had a microphone right now I would do a little tap, tap, tap. Hello? Adobe? Are you listening? The reason is Adobe is one of the most confused organizations on the brink of a security crisis I can think of. Let’s take a look at a few of the events that relate to their products and how they have handled them over the last 12 months. Update: Yes they are, as noted above. It’s great to know the security team is available to work with the security community.

  1. Last summer they announced a quarterly fix cycle for Adobe Acrobat and Reader to coincide with Microsoft’s patch Tuesday. It has been spotty at best, but they have held to a slightly predictable schedule for IT admins to cope with the patches. Update: Adobe’s dates on their security advisories do not match the release dates, which led to my confusion. They have released quarterly updates (plus out-of-band) for the Adobe Reader/Acrobat products, but there is no consistent policy across product lines.
  2. In spring 2010 they released an auto-update feature for Acrobat and Reader. Another mixed blessing as it were. The current release from their website does not include this capability (it’s out of date by several months) as they only update the website with major “dot” releases, not “double dot” releases. Adobe has promised the July release will be posted on the main download link. Update: Brad says the update functionality has been in the code since version 9.2, which was released in October 2009. It was not activated as a feature until April, but customers downloading the January release from will automatically be updated.
  3. Adobe provides no centralized management for organizations to monitor or manage which release they are using. They have announced some partnerships with Microsoft to enable SCCM and SCE users to deploy updates using those tools, but nothing from Adobe itself. If you have non-privileged users they will continually be prompted to upgrade to something they cannot install, unless of course you have disabled the auto-update checks.
  4. Flash and Shockwave? Random updates, huge patches, and no mechanism to update them whatsoever. In fact it has gotten so bad that Mozilla is now checking your Adobe plugins for you, because the plugins themselves don’t provide any way to know you are out of date. Update: Brad pointed me to a tool (free license required) that allows centralized Flash management. This is a big help to IT administrators, but does not help self-managed PCs.

Adobe’s response? Quite a bit of talk on the ASSET blog and a large improvement over the past year. I hesitate to say it is enough though. Adobe’s browser addons are indisputably the most targeted of all because of their security problems.

Tech website Ars Technica is reporting that Adobe is considering moving to a monthly patch cycle. This is a welcome move, but what we have seen from Adobe has appeared to be a bit haphazard.

I think Adobe would do well to review their entire security strategy and publish a uniform plan to the public. They also need to stick to it. Similar to Facebook’s privacy policy, IT administrators are left guessing when a patch might be available and are required to closely monitor Adobe’s changes. If they drop their guard they may be left vulnerable, or with a new default behavior that is undesired. Update: While I appreciate the response from Adobe, this still holds true. Different product sets are dealt with in different manners. A more consistent and clear policy would help all of us with planning to patch and safely using Adobe products. I apologize to Adobe for my errors, but I will say that if I have a hard time determining the facts, most people with less time to focus on the problem will face a similar fate.

An important piece in this new strategy must be to address the updating of Flash, both increasing frequency and making it more automated for the average web surfer. In the meantime we must carefully read Adobe’s blog and watch for advisories and try to adjust our testing schedules for whatever may come down the pipe next.

Update 9 June 2010: I had the opportunity to sit down with Brad Arkin in Adobe’s San Francisco office today and we had a very productive discussion. Adobe’s cooperation with us and the other vendors in this space is welcome and refreshing compared with many other technology companies. As Adobe continues to improve their processes we will continue to provide you with our angle and welcome Adobe’s assistance.

Creative Commons image courtesy of HermanTurnip’s Flickr photostream.