Adobe has been coming under increasing fire for the regular security flaws found in products such as Adobe Reader and Flash. Adobe Reader is becoming the attack vector of choice, especially on Windows Vista and Windows 7, and security experts are telling Web users that any modern browser is secure enough—as long as they don't install Flash. Presently, Adobe's policy is to release updates every three months. The company is now contemplating a move to monthly patches, aligned with Microsoft's Patch Tuesday.
A switch to monthly patches would allow the company to be more responsive to security threats as they emerge, which in turn would greatly reduce Adobe customers' exposure to exploits. The three-month cycle was started last year, to make patch publication more predictable and easier to manage for corporate customers. Adobe has since improved its internal processes, making a monthly cycle possible.
More immediately, the latest update to Reader and Acrobat (published in the middle of last month) enables automatic updating. By default, the software will download, but not install, updates automatically. A fully automatic option is also possible.
The company's policies still have considerable room for improvement. The download links published on Adobe's website do not generally provide access to the latest version of the software. For example, the current version of Reader that's provided dates back to January of this year. After installing it, it will attempt to download and install patches, but if this fails (due to the user refusing to allow the updates or canceling the updater, for example), then the unpatched, flawed version will remain.
This also means that any new installations won't include the new automatic updating facilities. Given the problems the company has had with both security flaws and patch distribution, this decision seems bizarre. At the very least, the version published on the site should include April's automatic update capability.
Adobe's director of product security and privacy, Brad Arkin, also said that the company is considering other options to get patches distributed more effectively. On some platforms, Adobe updates are integrated into the platform's built-in update system, but this is not the case on Windows. Windows Update presently only supports third-party driver updates—regular security fixes aren't available through that channel.
One mechanism that Microsoft does provide for third party patch distribution is the System Center Update Publisher. This framework allows third parties to publish patches so that they can be deployed using System Center Configuration Manager and System Center Essentials. Adobe is planning to use SCUP to publish updates by the end of the year, enabling greatly simplified patch management for corporate users.
