Adobe adopts patch cycle

Adobe will be adopting a quarterly patch cycle, at least with regard to Reader and Acrobat, explains the company's security and privacy director, Brad Arkin. Patches for the PDF tools should now be released every three months, and on the second Tuesday of said month. The timing is meant to coincide with Microsoft's famous "Patch Tuesdays," Arkin notes, thereby giving IT workers an opportunity to test updates from both companies before propagating them across a network.

While PDF documents are mostly local, static files, they also incorporate JavaScript, which can be used by malicious hackers to generate problems like memory corruption, and in turn assume control of a computer. Arkin admits that Adobe has failed to examine legacy code for these vulnerabilities in the past; testing is now said to be ongoing though, using methods such as threat modeling and fuzzing, the latter of which assaults a program with code until it triggers an unwanted response.

The director also confesses that the company was too slow to fix the recent JBIG2 vulnerability, which was exposed two weeks before a patch became available. Adobe will try to increase the speed of such emergency updates in the future, Arkin says.

by MacNN Staff