Adobe shifts to Microsoft patching process, incident response plan

By Robert Westervelt, News Editor 21 May 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Adobe Systems Inc. said it would revamp its incident response process and offer more support of security tools to lock down Adobe technologies.

The software maker announced sweeping changes to its patching processes Wednesday. Updates for Adobe Reader and Acrobat will be released quarterly beginning in December. The process will mirror Microsoft's monthly Patch Tuesday bulletin updates and be released on the same days each quarter, Brad Arkin, Adobe's director of product security and privacy wrote in a message on the company's Adobe Secure Software Engineering Team blog.

Adobe Systems: Dec. 2008 - Adobe hopes to speed patch releases with more transparency: Poor communication with security researchers fuels inefficiencies, the software maker said.   Adobe issues Reader update fixing zero-day flaw: Exploit code to attack a remote code execution flaw in Adobe Reader was available in the wild.   Sourcefire issues Adobe zero-day patch to block attacks: "Home brew patch," blocks attempts by hackers to exploit an unpatched buffer overflow vulnerability in Adobe Reader 9.

Arkin noted that Adobe said its engineers have been focused on revamping Adobe's software security processes since February when a critical image handling flaw was being actively exploited in the wild. Security researchers noted at the time that Adobe could have moved faster to issue an update to accommodate its large user base, despite ongoing attacks being limited and targeted.

"Everything from our security team's communications during an incident, to our security update process to the code itself has been carefully reviewed," Arkin said.

Adobe said its latest changes improve its incident response process, introducing more timely communications and faster turn-around times on patch releases. The software vendor will also try to issue simultaneous patches to address all affected versions.

Arkin said Adobe has also been improving its security development lifecycle, using Microsoft's Security Development Lifecycle as a blueprint for Adobe software. Adobe introduced threat modeling, automated and manual security code reviews and fuzzing for all its products. Arkin said the latest focus has been on hardening at-risk areas of the legacy code.

SearchSecurity radio:

"Even in cases where no immediate vulnerability was identified, we have been strengthening input validation on a best-practice basis," he said.

The first signs of changes to Adobe's security process were first reported by SearchSecurity.com in December, when Adobe launched its Adobe Secure Software Engineering Team blog to increase visibility in the security community and get security researchers to report vulnerabilities directly to the software vendor. Adobe also improved its software code at the time, enabling secure compiler flags in Flash Player and Adobe Reader. Flags help ensure developers don't store static passwords, encryption keys or other sensitive data within the source code of a SWF file.

Tags: Security Patch Management,  Securing Productivity Applications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Microsoft gives Internet Explorer a major security overhaul Information security book excerpts and reviews What patch management metrics does Project Quant use? Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Securing Productivity Applications Adobe issues patch fixing month-long PDF zero-day vulnerability Another PDF attack targets Adobe zero-day vulnerability Active PDF attacks target Reader, Acrobat zero-day vulnerability Software piracy group offers cash to whistleblowers How to secure a .pdf file How do hackers bypass a code signing procedure to inject malware Quiz: How to build secure applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary