Adobe explains PDF patch delay

Emergency patch would have postponed Jan.'s enterprise-oriented update

1 2 Page 2
Page 2 of 2

"We're not establishing a guaranteed policy here," Arkin said, referring to the decision to delay the patch of the exploited vulnerability, "but where this happened to fall on the calendar played a part. If we're early in the quarter, and if it's urgent, we can release an out-of-cycle update, but as you get later, and closer to the quarterly patch, you have to weigh how [an out-of-cycle update] impacts that."

Arkin denied that Adobe lacked the resources necessary to handle out-of-cycle updates while still making its quarterly update schedule, but acknowledged that the company can't afford to have a team of engineers "waiting just in case" an emergency occurs.

He also dismissed comparisons to Microsoft, whose security teams have frequently been faced with the same problem -- rush out a patch or wait until the next cycle -- and succeeded in meeting both simultaneously. "There's a lot of differences between us and them," Arkin said. "You don't really know when they queue things up, for example. They might have started working on a patch long before because the vulnerability had been responsibly disclosed."

Overall, Arkin said, the quarterly patch schedule is a positive, primarily because it appeals to enterprises using Adobe's software. "It's been really well received by all the customers I've talked with," he said. "They really appreciate the ability to plan for it, to know when it's coming."

However, he deflected questions about whether the quarterly schedule may leave consumers at risk longer than if Adobe released security updates as soon as they're ready. Instead, he touted Adobe's revised updating tool, which was provided to users via the October Reader/Acrobat security release, but switched on only for a small group of beta testers.

"For home and consumer users, we have the new updater that we shipped in October," said Arkin. "It allows a couple of different options, including downloading and installing in the background, without any user interaction. Reminding people that there's an update when they're using the product is usually the worst time," Arkin continued. Instead, the new updater will process patches, download and install them -- with no effort on users' parts. "We're hoping this will keep people updated with patches," he said.

Adobe will use the new updater for the first time next month to deliver the Jan. 12 patches to the beta testers, get feedback from the group, and then perhaps switch it on for all users.

Arkin admitted that, even with the new focus on security, Adobe can do better. One way would be to get information about active attacks sooner. While Adobe only learned of the current vulnerability and exploit last Monday when several security vendors reported their findings, evidence in filtering logs show that the attack code was being e-mailed to targeted victims as early as Nov. 20.

Adobe will try to get intelligence from its security partners earlier in the attack timeline, said Arkin. "We're working hard to get information as early as possible in the awareness cycle," he said. "Maybe we would have made a different decision if we had known about the vulnerability in November."

The Jan. 12 security update for Reader and Acrobat will include patches for other bugs that have been privately reported to Adobe by researchers. Arkin declined to get specific about what will be patched then, or even how many flaws will be fixed. "But we're looking for something more modest in size than the one we shipped in October," he said.

Adobe patched 29 bugs in Reader and Acrobat in its last regularly-scheduled security update, which was released Oct. 13.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter @gkeizer, send e-mail at or subscribe to Gregg's RSS feed .

Copyright © 2009 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon