Adobe Systems Inc. said it would revamp its incident response process and offer more support of security tools to lock down Adobe technologies.
The software maker announced sweeping changes to its patching processes Wednesday. Updates for Adobe Reader and Acrobat will be released quarterly beginning in December. The process will mirror Microsoft's monthly Patch Tuesday bulletin updates and be released on the same days each quarter, Brad Arkin, Adobe's director of product security and privacy wrote in a message on the company's Adobe Secure Software Engineering Team blog.
Dec. 2008 - Adobe
hopes to speed patch releases with more transparency: Poor communication with security
researchers fuels inefficiencies, the software maker said.
Adobe issues Reader update fixing zero-day flaw: Exploit code to attack a remote code execution flaw in Adobe Reader was available in the wild.
Sourcefire issues Adobe zero-day patch to block attacks: "Home brew patch," blocks attempts by hackers to exploit an unpatched buffer overflow vulnerability in Adobe Reader 9.
Arkin noted that Adobe said its engineers have been focused on revamping Adobe's software security processes since February when a critical image handling flaw was being actively exploited in the wild. Security researchers noted at the time that Adobe could have moved faster to issue an update to accommodate its large user base, despite ongoing attacks being limited and targeted.
"Everything from our security team's communications during an incident, to our security update process to the code itself has been carefully reviewed," Arkin said.
Adobe said its latest changes improve its incident response process, introducing more timely communications and faster turn-around times on patch releases. The software vendor will also try to issue simultaneous patches to address all affected versions.
Arkin said Adobe has also been improving its security development lifecycle, using Microsoft's Security Development Lifecycle as a blueprint for Adobe software. Adobe introduced threat modeling, automated and manual security code reviews and fuzzing for all its products. Arkin said the latest focus has been on hardening at-risk areas of the legacy code.
"Even in cases where no immediate vulnerability was identified, we have been strengthening input validation on a best-practice basis," he said.
The first signs of changes to Adobe's security process were first reported by SearchSecurity.com in December, when Adobe launched its Adobe Secure Software Engineering Team blog to increase visibility in the security community and get security researchers to report vulnerabilities directly to the software vendor. Adobe also improved its software code at the time, enabling secure compiler flags in Flash Player and Adobe Reader. Flags help ensure developers don't store static passwords, encryption keys or other sensitive data within the source code of a SWF file.