Following criticism from security researchers for its slow response to serious vulnerabilities, Adobe committed on Wednesday to a quarterly patch schedule and to hardening its Adobe Reader and Acrobat products.
The software company has embarked on an effort to root out vulnerabilities in its code and improve the security of its software, Brad Arkin, director of product security and privacy for Adobe, stated in a post on the company's ASSET blog. The so-called Secure Product Lifecycle (SPLC) will bring together threat modeling, code reviews and automated attacks on the software, such as fuzzing, Arkin said. The company also plans to improve incident response, answering vulnerability reports more quickly and speeding patch testing and deployment.
The announcement comes after a major flaw, known as JBIG2, was found in February to affect Adobe's ubiquitous Reader software.
"The JBIG2 issue also sparked a lot of conversation internally at Adobe from executives to testers and developers," stated. "What started out as a routine incident response expanded to a broader effort by Adobe Reader and Acrobat engineers, culminating in permanent changes to our software security approach for those products."
Malicious attacks have increasingly exploited flaws in ubiquitous third-party software such as Adobe Reader and Acrobat. In a recent report, security firm F-Secure found that PDF flaws surpassed Microsoft Word flaws as the favored vector of attack on the Internet.
Adobe's SPLC effort is modeled on Microsoft's Secure Development Lifecycle (SDL), which the software giant created as part of its Trustworthy Computing Initiative, kicked off by former CEO Bill Gates in January 2002. Adobe's secure software development process is not the only Microsoft practice that the company plans to copy. The company will also release its patches on the same day as Microsoft, Arkin said.
"Based on feedback from our customers, who have processes and resources geared toward Microsofts 'Patch Tuesday' security updates, we will make Adobes quarterly patches available on the same days," he said.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos