Adobe working on new automatic (silent) updater

Adobe working on new automatic (silent) updater

Summary: The new update will give end users an automatic download in the background and will install the updates with no user interaction option.

SHARE:

In the wake of a dramatic surge in malware attacks against Adobe's ubiquitous software products (Reader, Acrobat, Flash Player), the company plans to ship a new automatic updater mechanism that will silently patch security holes without any user action.

Sometime this month, Adobe will release the updater to beta users to test the effectiveness of silent patching.   In effect, the tool gives end users an automatic download in the background and will install the updates with no user interaction option.

[ ALSO READ: Flash attack may as well have been zero-day ]

According to Adobe security chief Brad Arkin, the tool be configurable for end users that want more control of the patching process.

"They can download and then give them the choice to install it, or it can just notify – or you can turn it off completely.  And so, by giving users these options, you know, people who have a well managed environment and they’ve got good reason for why they don’t want to install an update, Arkin said in a Q&A posted to Threatpost.com.

Studies have shown that silent updaters [without any user action] are the most effective way to ensure the widest possible distribution of security patches and Adobe is clearly hoping that this will speed up the distribution of its patches.

In the Threatpost Q&A, Arkin also addresses his team's incident response process and explains why it's near impossible to remove JavaScript support from PDF Reader, despite the known dangers associated with JavaScript.

Topics: CXO, Enterprise Software, Security, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

63 comments
Log in or register to join the discussion
  • Choice - YES

    Automatic WITHOUT choice - NO!
    kd5auq
    • Agreed

      The automatic is for the people who do not have time or do not worry about breaking custom apps or do not know better. But you need a manual option for those who those who do their due diligence, especially for those who have custom apps that may break if they rely on the updated software.
      Michael Kelly
      • Wrong!

        You forgot the people who know better, are
        worried, have plenty of time, and do it anyways!
        AzuMao
    • Third Paragraph Provides Choice

      I guess no one saw the paragraphs that read . . .

      [i]
      According to Adobe security chief Brad Arkin, the tool be configurable for end users that want more control of the patching process.

      ?They can download and then give them the choice to install it, or it can just notify ? or you can turn it off completely.
      [/i]
      DarienHawk67
      • That isn't really a choice.

        For it to really be a choice would require the
        user to actually understand the differences
        between the options. The vast majority of users
        have no clue what "notify" and "install" even
        mean. So there isn't much of a choice.
        AzuMao
    • But.. if choice = yes and automatic without choice = no, then..

      ..what does manual with choice =? Maybe?
      AzuMao
  • just one more way to infect windoze

    and cripple internet bandwidth.
    Linux Geek
    • Linux Geek

      You're an idiot.
      SystemVoid
      • No he's not.

        That's being really mean and unfair to idiots.
        AzuMao
      • Agreed.... idiot boy bashes Microsoft in EVERY SINGLE POSTING

        And never has any REAL meat to add to the discussion. To ZDNet... BAN THIS LOSER!
        Lerianis10
    • Linux Geek

      You and your ilk NEVER cease to totally amaze me. You despise Microsoft and yet STILL troll around on these boards and expect everyone else in the world to want to listen to your drivel. Go back and play with your linux stuff and leave the rest of us, who happen to be in a VAST MAJORITY when compared to you and yours, alone. We DON'T CARE what you have to say and would much rather you go troll somewhere else so we can read the comments that actually have something to add to the discussion. Mental midgets like yourself just don't get it do you?
      TxTopgun
      • Ilk?

        Don't group all Linux advocates in with that
        moron, please.
        AzuMao
    • Baby want some attention?

      Here, have some attention. Feel better?
      Lester Young
    • Uh?

      There are enough real ways without making shit up.
      The only way this would give you malware is if
      their update servers got hacked, in which case manually updating would give you just as much
      malware anyways.
      AzuMao
      • I would've thought...

        I would've thought that should apply to PDFs and JPGs, too.

        Actually I think that Linux Geek might be right (for once) given Adobe's recent track record.

        lehnerus2000
        lehnerus2000
        • If you say so.

          I really doubt they could get something as simple
          as an updater wrong, though. I mean come on. All
          it has to do is download the update, make sure
          it's really from Adobe, and run it. How hard could
          it be not to mess that up?
          AzuMao
      • You wouldn't need to hack the servers......

        Just suppose you do open a jpg, sfw, etc, that has been infected. The infection could be something so simple as to just poison your DNS so that the next time the update runs it retrieves the update from an infected source rather than Adobe and the update it downloads carries the actual virus.

        I'm sure the Adobe security teams wouldn't leave their update process as simplified as that - but I'm not a hacker/virus spreading a**ehole and they seem to be hellbent on circumventing security!
        TigerMark
        • Um..

          ..if the virus has already infected your
          computer, and is changing DNS entries and stuff,
          why would it need the automatic update service
          to infect your computer? It has already infected
          it.


          Also, my post only applies if Adobe are too
          retarded to sign their updates (e.g. asymmetric
          encryption). If they do not only does the server
          need hacked, but whoever has their private key
          needs to be tortured into giving it up.
          AzuMao
    • LinuxGeek consistently makes Linux users appear stupid!

      But we are not. Besides, most of us need to know both Windows [i]and[/i] Linux.
      djchandler
  • GRRRR

    Will adobe, apple, etc PLEASE STOP running pointless ******** updaters, trays, etc on startup. Just update like Firefox (when the application is actually running). And no, I don't want ANY software updating itself "silently". I'm not even sure how this can be accomplished with the Vista/Win7 protections unless it is always running as an Administrator or as a service with administrative privileges. I shudder to think of the new malware suddenly installing on my system given their track record.

    Personally - I prefer FoxIt and won't let acrobat anywhere near my system.
    Yensi717