Adobe has promised to patch the newest zero-day vulnerability in its popular Adobe Reader software no later than next Tuesday, potentially adding another update to the month's busiest patch day for the second time in three months.
May 12 is also Microsoft's regularly-scheduled monthly Patch Tuesday.
On Friday, Adobe's security team announced that it would issue updates to Adobe Reader and Acrobat -- versions 9.x, 8.x and 7.x for Windows, 9.x and 8.x for Mac and Linux -- by next Tuesday.
"Additionally, we have confirmed the second vulnerability (CVE-2009-1493) for Adobe Reader for Unix," he added, referencing a second bug that was reported last week. "This issue will be resolved in the upcoming Adobe Reader for Unix updates. Currently, we have not been able to reproduce an exploitable scenario for Windows and Macintosh, but we will continue to investigate."
Adobe didn't complete its patching until March 24, when it delivered updates for Linux and Solaris, putting the bug's window of vulnerability at between 19 and 33 days. By comparison, if Adobe patches next Tuesday, the window for the newest flaw would be only 14 days.
We're continuing our work to be able to respond as diligently as possible when issues arise," Brad Arkin, Adobe's director of product security and privacy, said in an e-mail. "The timing of our planned product updates is based on this commitment."
"Their timing is the silver cloud," agreed Andrew Storms, director of security operations at nCircle Network Security Inc. "But it's difficult to see through that cloud."
Storms, who has been critical of Adobe's security process, remained so today. Not only has Adobe set the Reader patch for the same day that Microsoft will roll out it own fixes, but the paucity of information and the lack of security management tools from Adobe continues to frustrate Storms.
"If Adobe had said, here's the risk and here's a way to do this [mitigation] quickly in the enterprise, we'd be talking about a different story," Storms argued. "But they don't give us that information up front."
Arkin defended Adobe's schedule, which Storms also slammed for coming atop Microsoft's long-slated patch day. "Our focus is on delivering product updates as quickly as possible, and that's resulted in doing so by May 12," Arkin said. "In this case, the date coincidentally falls on Microsoft's Patch Tuesday."
"You can't really criticize software for having bugs, because all software was bugs," Storms concluded. "But you can [criticize a vendor] for its entire security lifecycle and its lack of tools. That's what makes a difference. Are they going to be on your [security] team or not depends on how they respond to a vulnerability and how they deal with it."
According to Adobe's security advisory, no in-the-wild exploits have been reported targeting the two unpatched vulnerabilities.