Adobe considers shorter update cycles
According to Brad Arkin, Adobe's Director of Product Security and Privacy, the company is currently considering reducing the interval between security updates for Adobe Reader from 90 to 30 days. Adobe started a three-monthly cycle in mid 2009 and has since been releasing updates for Adobe Reader and Acrobat on the second Tuesday of every third month – the same day as Microsoft's official patch day.
In view of the large number of security vulnerabilities discovered in recent months, major customers appear to have increased the pressure on Adobe to reduce the interval between security patch releases. Arkin has told The H's associates at heise Security that a monthly cycle is one of the alternatives currently under discussion. He adds that, in emergencies, Adobe is also now in a position to develop patches within 15 days and to release them outside of the regular patch cycle. This compares with the 80 days Arkin's team needed to develop a patch for the JBIG2 vulnerability in spring 2009.
In addition to Adobe Reader, the company wants to bring products such as Flash and Shockwave into the update cycle. Previously, updates for these products have been released as needed and when ready. It's not clear whether products other than Adobe Reader will be patched automatically by means of the new update mechanism.
In conversation with heise Security, Arkin expressed major interest in using "other channels" to get patches for Adobe products to users. Though he didn't mention Microsoft Update by name, in the same breath he pointed out that Adobe already distributes its updates via the operating systems' own automatic update systems under Mac OS X and Red Hat Linux.
Microsoft itself has declined to comment officially on the possibility of opening up Microsoft Update to other companies. Microsoft representatives merely point out the huge complexity and numerous organisational and legal hurdles involved. The company also appears to have concerns about the risk posed by a bad update for a product as widely used as Adobe Reader.
However, there is already a common interface between Adobe and Microsoft. According to Arkin, by the end of 2010, Adobe updates should be being distributed via Microsoft's System Center Updates Publisher (SCUP). This will benefit customers of Microsoft's System Center Configuration Manager (SCCM) and System Center Essentials (SCE), as it allows them to install updates faster, and therefore at lower cost, on company networks.
- Adobe introduces automatic update for Reader, a report from The H.
- Adobe to introduce silent updates for Reader, a report from The H.
- The H Update Check
(Uli Ries / crve)