After attacks, Adobe patches now come faster

IDG News Service - Hackers are fond of Adobe Systems, and now the company knows it all too well.

Adobe's software has increasingly come under attack in recent years as hackers have realized it can be easier to find flaws in popular software that runs on top of Windows than it is to dig up new vulnerabilities in the operating system itself.

This has led to a round of new attacks that exploit bugs in products such as Adobe's Reader, Apple's QuickTime, and the Mozilla Firefox browser.

It's a reality that Adobe Chief Technology Officer Kevin Lynch freely acknowledged Monday in a press conference at the company's annual Adobe MAX developer conference, held in Los Angeles.

"We have absolutely seen an increase in the number of attacks around Reader in particular, and also Flash Player to some extent," he said. "We're working to decrease the amount of time between when we know about a problem and when we release a fix. That used to be a couple of months; now it's within two weeks for critical issues."

For Adobe, this new reality became clear in February, when the company's Reader and Acrobat software was the target of a widespread attack. The volunteer watchdog group Shadowserver Foundation started sounding the alarm about the problem on February 19. Security experts later determined that it had been exploited by attackers since early January, but Adobe didn't end up patching the bug until March 10. It took two more weeks for the company to patch all of its supported platforms.

It was a public relations disaster for the company, whose sluggish response was pilloried by security experts.

Adobe Director for Product Security and Privacy Brad Arkin says the problems spurred good things, though. "We used that experience to help understand where the bottlenecks were and what process changes we could implement to improve our response time," he said in an interview Monday.

In May, Arkin announced that the company would take new steps to stress-test its software, and improve its response-time to security incidents.

Adobe currently releases regularly scheduled security software updates (the latest is due next week), but if the company needs to rush out a patch, it can be done much more quickly than before.

Adobe posted emergency patches in May and again at the end of July, both of which took about two weeks to turn around, Arkin said. "The turnaround for these things is something that has been a real focus," he said.

"We understand that given our wide distribution base we're going to be a target," Arkin added. "These types of software patches are going to be a fact of life for us."

(James Niccolai in Los Angeles contributed to this report.)