Adobe plans quarterly Patch Day for Reader/Acrobat fixes

Adobe plans quarterly Patch Day for Reader/Acrobat fixes

Summary: Borrowing a few pages from Microsoft's playbook, Adobe today announced plans for a quarterly Patch Day for its Reader/Acrobat product lines and new initiatives to beef up its code hardening and security response processes.Starting this summer, Adobe Reader and Acrobat security patches will be released on a quarterly schedule and will be timed to coincide with Microsoft's second-Tuesday-of-the month bulletin releases.


Borrowing a few pages from Microsoft's playbook, Adobe today announced plans for a quarterly Patch Day for its Reader/Acrobat product lines and new initiatives to beef up its code hardening and security response processes.

Starting this summer, Adobe Reader and Acrobat security patches will be released on a quarterly schedule and will be timed to coincide with Microsoft's second-Tuesday-of-the month bulletin releases. The new schedule will not include fixes for Adobe Flash Player, Adobe Air or other software products.

[ SEE: Adobe Flash zero-day exploit in the wild ]

Here's the gist of the plans, as outlined by Brad Arkin, director of product security and privacy at Adobe:

  1. Code Hardening - For the past several years all new code and features for Adobe Reader and Acrobat have been subject to our modern Secure Product Lifecycle (SPLC). The Adobe SPLC is similar to Microsoft’s Security Development Lifecycle (SDL). The Adobe SPLC integrates standard secure software activities such as threat modeling, automated and manual security code reviews, and fuzzing into the standard Adobe Product Lifecycle we follow for all projects.The SPLC activities have been successful in mitigating threats in new code development, but did not fully address problems in the existing code base. Therefore, an initiative in the current security effort has been focused on hardening at-risk areas of the legacy code. We’ve applied the latest SPLC techniques against these prioritized sections of each application. Even in cases where no immediate vulnerability was identified, we have been strengthening input validation on a best-practice basis. (Experience shows such validation is a powerful tool in preventing as-yet unidentified security holes.)
  2. Incident Response Process Improvements – We’ve targeted several specific areas where we are improving our incident response process. We expect folks outside Adobe will see more timely communications regarding incidents, quicker turn-around times on patch releases, and simultaneous patches for more affected versions as we move forward.This approach was tested sooner than we would have liked with CVE-2009-1492/1493. Although this incident fell in the middle of our security effort, we were encouraged by the progress our response demonstrated. We worked to communicate early and often via our PSIRT blog and two weeks later, on May 12, 2009, we simultaneously shipped 29 binaries to update 17 different versions of Adobe Reader and Acrobat covering 32 languages for the Windows, Mac, and UNIX platforms.
  3. Regular Security Updates – Starting this summer with the initial output of our security code hardening effort, we plan to release security updates for all major supported versions and platforms of Adobe Reader and Acrobat on a quarterly basis. Based on feedback from our customers, who have processes and resources geared toward Microsoft’s “Patch Tuesday” security updates, we will make Adobe’s quarterly patches available on the same days. (Although our 3/10/09 and 5/12/09 security patches landed on Patch Tuesday, the timing was coincidental. In both cases, we shipped the patches as soon as we finished testing them.)

[ SEE: Adobe swings and misses as PDF abuse worsens ]

I had a brief telephone conversation with Arkin today to discuss the plans and he said the changes were a direct result of the "changing threat landscape" affecting Adobe's customers.  Over the last year, the company has struggled to cope with numerous exploit code releases and zero-day attacks and its security response process fell short of providing enough information for affected end-users.

These two comparison charts, via F-Secure, show just how much of a target Adobe has become, especially in the area of targeted attacks that use booby-trapped PDF files:

And now 2009 (year to date):

Microsoft's latest Security Intelligence Report (a must read!) also describes the target on Adobe's back -- malware authors consistently exploit Flash Player vulnerabilities -- so this news from Adobe could not have come at a better time.

While the SDL-type process is a no-brainer, I'd also like to see Adobe adobe a security advisory service (outside of the PSIRT) blog that provides some clear mitigation/guidance when exploit code is available for an unpatched vulnerability.

As Andrew Storms points out here, the company could also improve its relationship with the hacker community to try to stop zero-day releases and look closer at some software bells-and-whistles (hello JavaScript!) that introduce serious security problems.

Topics: Security, Enterprise Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Don't care - they already lost me

    Switched to Foxit

    Goodbye Adobe
    • Me Too

      Adobe lost me a while back!
      The 'G-Man.'
  • No thank you.

    I'll stick with KPDF. Security issues get fixed shortly after discovery. Besides, it works much better.
  • What about the enterprise?

    Do they have have plans for an enterprise update application such as WSUS for their products? Probably not. Usually enterprise environments disable the automatic updates because end users do not have the rights to download/install applications. Adobe is another one of the companies that has grown too large for itself and puts out inferior products, just like Symantec (Symantec ruins everything they get their hands on and should hang it up or start over). All of the background services that run with Adobe products, like their licensing service, has driven me away from their other products. If developers actually tested their products maybe there wouldn't be these issues. Maybe they should start recruiting the attackers. They seem to have more knowledge about their products than they do, and that goes for MS too.
    • I agree, there needs to be a way to manage these updates

      Even with just a dozen computers in an office, I have no idea what version of Adobe Reader my various users are running. I am curious about what larger companies do about this software. I have deployed Adobe Reader via group policy in the past and it was a pain in the butt. It is not a task I'd look forward to performing on a monthly basis.
  • Was looking like a good post until

    ...and that goes for MS too.

    The 'G-Man.'
  • Quarterly???

    So if hackers release a new exploit the day after Adobe's patch Tuesday, we have to wait three months for a patch? This just illustrates that Adobe is completely out of touch with reality! Where have their security people (assuming they have some) been for the last year?
    • Tuesday's sounds good ...

      but as skepticat says, quarterly totally misses the boat. M$'s monthly schedule is bad enough, but this new idea is only 10 years out of date.

      It's too bad that Adobe is getting on the corporate schedule like MS did. They too are abandoning the small business and home users vulnerable to attacks that they have completed patches just sitting around and waiting for "release day". The "little" guy doesn't have an IT department to do testing, doesn't have custom apps to test against, and unfortunately all too often doesn't have adequate fire-wall and anti-malware protecting his computers.

      Monthly, and even more so, quarterly releases are intended for the group that least needs them, big business. That sort of schedule was originally created for, and is appropriate for new releases with new features and other improvements. It is totally inappropriate for security patches which should be released and applied as soon as they are "complete" to minimize the impact of malware infections on the impacted individuals and the internet as a whole (in the case of botnets).

      Adobe, wake up and figure out the difference between security patches and new features.

      In the mean time I guess I'm left with the thin "protection" of "security by obscurity" using PDF-XChange viewer (also free). Besides, I like the markup features it provides, that acrobat reader doesn't.
  • RE: Adobe plans quarterly Patch Day for Reader/Acrobat fixes

    This sounds like welcome good news long term for defenders. Hopefully this means that the current storm of malicious PDF-related activity will abate within the next several months or year or two. I wish Adobe would step on the gas a little harder to head off the 15 or so privately help PDF vulneabilities mentioned at
  • RE: Adobe plans quarterly Patch Day for Reader/Acrobat fixes

    So, anyone test out the comparative resistance of Foxit or KPDF compared to Adobe?
  • RE: Adobe plans quarterly Patch Day for Reader/Acrobat fixes

    Why not do it on an "as-needed" basis. If a bot is out there, why wait until the month/quarter ends to put a "fix" out to users?
  • Exploits Monthly & Patches Quarterly?!?

    What this will ultimately mean for enterprises is during an exploit period is the total blocking of PDF files until Adobes Quarterly Patches come out.

    But then we all know that as soon as one vulnerability is patched someone that has been holding on to a Zero Day vulnerability will announce their findings.

    As prevalent as Acrobat Reader is on the Windows Platform Adobe should patch "As needed" and "When Needed" not two weeks later as has been the case lately.

    But QUARTERLY?!? That is an excellent means of driving the portable document format to another vendor, one that is responsive to its users and the Internet community as a whole.
  • It is about time!

    I like Adobe Acrobat and Reader. It is about time for them to elevate their security game. I hope that they follow through with this commitment
  • RE: Adobe plans quarterly Patch Day for Reader/Acrobat fixes

    Well the real problem is people do not update/patch their systems. All the big MS worm/virus incidents were already patched but the vast majority didn't know or care. MS now has auto updates but you see the the usual suspects who say "I don't trust MS so I'll update when I'm ready - how dare they try to tell me how to run their system - my system's been broken - it's all M$ fault, they don't care".

    Adobe are putting themselves in the same position, however for home users they have a service run at start up which checks for updates, the usual crowd scream BLOAT, disable it and then scream that they weren't protected.

    Although why a document reader should be able to get admin rights is beyond me. It's read only for feck's sake.
  • RE: Adobe plans quarterly Patch Day for Reader/Acrobat fixes

    Well done! Thank you very much for professional templates and community edition
    <a href="">seslisohbet</a> <a href="">seslichat</a>