…software, that has become the standard others in the industry follow. It is roundly lauded for its efforts.
Now it is Adobe's turn to step up to the plate.
"Microsoft is a model for patch management… it was forced into it. It really turned around," Hypponen said in an interview last week at Black Hat. "Now, Flash and Reader are ubiquitous and it's harder and harder to target Microsoft, so the attackers are looking for easier targets."
In particular, Adobe's patching process is not as robust as Microsoft's, Hypponen and others have said.
In all fairness, Adobe is on the right path. Prompted by a zero-day hole in Reader, in May the company decided to begin releasing patches on a quarterly basis and scheduling updates to coincide with Microsoft's Patch Tuesday releases.
At the time of the Adobe announcement, Arkin said the company was reviewing "everything from our security team's communications during an incident to our security update process to the code itself". He also promised that users would "see more timely communications regarding incidents, quicker turnaround times on patch releases and simultaneous patches for more affected versions as we move forward".
Adobe was the first third-party vendor to release a fix for software affected by a vulnerability in Microsoft's Active Template Library, which is used to build components for web applications and was being exploited, according to Arkin.
"We scoured the entire Adobe portfolio and evaluated more than 200 products in the field today to determine which might be vulnerable," he said, adding that fixes for Shockwave Player and Flash Player shipped within weeks.
A zero-day exploit targeting Reader and Acrobat that Adobe learned about on 27 April was fixed about two weeks later, he said. Adobe issued a patch last week for a critical Flash Player problem that was being exploited, allowing attackers to take over a computer via content viewed in a browser.
"We are quite happy with the performance on those," Arkin said of the time frame for the patches.
The company also has been turning an eye toward "digging into legacy code" and looking for additional ways to improve products overall, he said. "Adobe integrates the best practices you see at Microsoft and other companies."
A security researcher, who asked not to be named, complained that at an architectural level, some Adobe applications have too much access to the operating system. "Why should something that operates on untrusted data have full access to your trusted data?" he asked, mentioning specifically Adobe Reader and its ability to access the hard drive to read and write files.
The program's functions require it to be able to save and open files on the file system and thus have read-and-write access to the hard drive, Arkin said. "Web browsers all have the ability to save to the file system" and the privileges between the two types of programs are similar, he added.
Market pressures
Security versus functionality trade-offs aside, changes in Adobe's products and processes will come in response to market pressures and not merely because it is the favourite target for attackers, said Bruce Schneier, chief technology officer of BT Counterpane.
"This is all very much a business decision, whether the company decides to take security seriously or not," he said, adding that he spent his day dealing with Adobe updates.
"I'd like to think that they would start realising that they can use security as a selling point, but it took Linux to get Microsoft to do that. They felt they had competition," he said. "Is there a Linux waiting to affect Adobe?"
Not really, according to the experts.
Dan Kaminsky, director of penetration testing at IOActive, praised Adobe for "reconfiguring itself" with regards to security issues and suggested critics should cut the company some slack.
"The PDF exploitation only recently blew up, and remember, it takes any software development house a while to really address problems," he said, adding that Flash 9 was much more secure than Flash 8.
"Does Adobe have products they need to lock down? Yes. Are they in the process of doing so? Yes. They did it for Flash and they'll do it for Reader," he said.
"There's always a 'most vulnerable' attack surface."




