Facing criticism, Adobe rethinks PDF security
Blasted three months ago for being slow to fix a zero-day vulnerability in its popular PDF viewer, Adobe today promised it will root out bugs in older code, speed up the patching process and release regular security updates for Adobe Reader and Acrobat.
The flak Adobe caught in February, when it disclosed a critical vulnerability, admitted the bug was being used by hackers, but then took weeks to patch the problem, is what prompted Adobe to review its security practices, acknowledged Brad Arkin, Adobe's director for product security and privacy.
"At first, this was just another of our normal security incidents," said Arkin. "But it ended up expanding to [make] changes in our security practices with Reader and Acrobat."
The project, which kicked off in February, has three parts, said Arkin, starting with a look at the legacy code in Reader and Acrobat that he characterized as "at-risk areas."
Currently, Adobe develops new code under what it calls its Secure Product Lifecycle (SPCL), an approach similar to Microsoft's much-better-known Software Development Lifecycle (SDL), which involves several security-specific steps that programmers go through to make their software less liable to harbor bugs. From now on, said Arkin, Adobe will apply the SPCL methodology to some older sections of Reader and Acrobat, too.
"We're going to broadly look at the whole application, but focus on at-risk areas, where we'll do threat modeling, static code analysis and look for potential vulnerabilities," said Arkin, who refused to call that change a full-blown "code review," like the one Microsoft spent millions on to root out bugs in Windows XP.
"We're going to do a lot more pro-active work," he promised. "We want to shake loose vulnerabilities."
Adobe will also speed up its patching and communicate with users more frequently, Arkin said. The company was slapped by some in February for taking three weeks to fix the already-exploited bug, and then only for Reader and Acrobat 9; Adobe staggered the patch delivery for the other versions over several more weeks. A patch for a different zero-day vulnerability that Adobe issued this month was the first step toward that faster pace, said Arkin. "The fact that we were able to patch on May 12, and patch all [editions of] Reader and Acrobat on the same day, that's encouraging," he said.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
adobe
Powered by TwitterOn Twitter now
adobe
Brian Proffitt
Microsoft/Novell: Breaking Down the Coupon Numbers
Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal
Tom Henderson
Top Ten General Operating Systems Rants
pasmith
PS3 motion controller delayed; goes up against Project Natal
sjvn
Neolithic Windows security hole alive and well in Windows 7
claird
Perl source code comparison makes for good reading
mikelgan
Cell phones don't create stress or interrupt much
Sandra Henry-Stocker
How to: The Unix Interview
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
- Ubuntu advances: Why Ubuntu server installations will surge in 2010
- Social media marketing: How to make friends with benefits
- More...
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
