Facing criticism, Adobe rethinks PDF security

Promises more secure code, faster patching and regular updates for Reader

1 2 Page 2
Page 2 of 2

Adobe will also mimic Microsoft by not only moving to a regular patch delivery schedule, but by going so far as to issue those patches on the same day as Microsoft. "Previously, we did patches on an as-needed basis," said Arkin. "But now we're going to offer them on a [quarterly] basis, and align them with the second Tuesday of the month. Feedback from our customers showed that was a better fit with their processes."

Arkin declined to specify a start date for the quarterly Reader and Acrobat security updates, saying only that they would kick off sometime this summer.

There are some things Adobe won't do, however. Only Reader and Acrobat are involved in the security revamping project, and Adobe won't consider disabling JavaScript in either application. Both recent zero-day vulnerabilities have involved JavaScript, which Adobe has recommended users temporarily switch off until a patch is available.

"No, we won't disable JavaScript by default," said Arkin when asked today. "JavaScript is a really critical feature for our enterprise customers." Instead, he countered that the other measures would result in more secure code while retaining JavaScript. "The code hardening effort will make sure JavaScript is as safe and secure to use as possible," he said.

"The way malware tries to attack people's machines has changed in the last six to twelve months," said Arkin in explaining why Adobe felt the need to revamp its security process.

There's no denying that hackers are exploiting Adobe bugs. According to Finnish security company F-Secure, patching 48.9% of all targeted attacks conducted this year involved a malicious PDF file attached to a legitimate-looking e-mail, a huge change from 2008, when PDFs made up just 28.6% of targeted attacks.

Andrew Storms, director of security operations at nCircle Network Security and a frequent critic of Adobe's practices, welcomed the moves, but wasn't ready to applaud Adobe just yet.

"The proof will be in six months or so," said Storms, "when we see the outcome. Will we see fewer bugs, fewer Reader zero-days? It's always that the proof is in the pudding. But it's welcome that another vendor has stepped up to better protect their customers."

Arkin has written an entry to Adobe's security blog that goes into more detail about the company's new-found Reader security religion.

Copyright © 2009 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
8 simple ways to clean data with Excel
  
Shop Tech Products at Amazon