Adobe shifts to Microsoft patching process, incident response plan

Article

Adobe shifts to Microsoft patching process, incident response plan

Robert Westervelt, News Editor

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Adobe Systems Inc. said it would revamp its incident response process and offer more support of security tools to lock down Adobe technologies.

The software maker announced sweeping changes to its patching processes Wednesday. Updates for Adobe Reader and Acrobat will be released quarterly beginning in December. The process will mirror Microsoft's monthly Patch Tuesday bulletin updates and be released on the same days each quarter, Brad Arkin, Adobe's director of product security and privacy wrote in a message on the company's Adobe Secure Software Engineering Team blog.

Adobe Systems:
Dec. 2008 - Adobe hopes to speed patch releases with more transparency: Poor communication with security researchers fuels inefficiencies, the software maker said.
 
Adobe issues Reader update fixing zero-day flaw: Exploit code to attack a remote code execution flaw in Adobe Reader was available in the wild.
 
Sourcefire issues Adobe zero-day patch to block attacks: "Home brew patch," blocks attempts by hackers to exploit an unpatched buffer overflow vulnerability in Adobe Reader 9.

Arkin noted that Adobe said its engineers have been focused on revamping Adobe's software security processes since February when a critical image handling flaw was being actively exploited in the wild. Security researchers noted at the time that Adobe could have moved faster to issue an update to accommodate its large user base, despite ongoing attacks being limited and targeted.

"Everything from our security team's communications during an incident, to our security update process to the code itself has been carefully reviewed," Arkin said.

Adobe said its latest changes improve its incident response process, introducing more timely communications and faster turn-around times on patch releases. The software vendor will also try to issue simultaneous patches to address all affected versions.

Arkin said Adobe has also been improving its security development lifecycle, using Microsoft's Security Development Lifecycle as a blueprint for Adobe software. Adobe introduced threat modeling, automated and manual security code reviews and fuzzing for all its products. Arkin said the latest focus has been on hardening at-risk areas of the legacy code.

SearchSecurity radio:

"Even in cases where no immediate vulnerability was identified, we have been strengthening input validation on a best-practice basis," he said.

The first signs of changes to Adobe's security process were first reported by SearchSecurity.com in December, when Adobe launched its Adobe Secure Software Engineering Team blog to increase visibility in the security community and get security researchers to report vulnerabilities directly to the software vendor. Adobe also improved its software code at the time, enabling secure compiler flags in Flash Player and Adobe Reader. Flags help ensure developers don't store static passwords, encryption keys or other sensitive data within the source code of a SWF file.