Adobe to release security updates a la Patch Tuesday

Once a quarter, Adobe will follow Microsoft's Patch Tuesday model as part of a broader effort to improve its approach to product security following issues with Adobe Reader.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Correction 4:05 p.m. PDT: This post initially misstated how often the security updates will be. Adobe plans to issue updates quarterly.

Adobe said on Wednesday it will release quarterly security updates to coincide with Microsoft's Patch Tuesday as part of a new approach to product security for Adobe Reader and Acrobat.

The security updates will be delivered on a second Tuesday once a quarter, beginning this summer, Brad Arkin, director of product security and privacy, wrote in a blog post. Microsoft's Patch Tuesday updates are issued monthly on the second Tuesday.

Adobe security patches released on Patch Tuesdays March 10 and May 12 were coincidental, the post said.

The most recent patch fixed a hole in Flash Media Server 3.5.1 and earlier that could allow an attacker to execute remote procedures in Flash Media Interactive Server or Flash Media Streaming Server.

The March patch fixed a critical vulnerability in Adobe Reader 9 and Acrobat 9 that could allow an attacker to take complete control of a computer and for which exploits had been reportedly found in the wild for nearly two months.

The Adobe Reader issue sparked "a lot of conversation internally at Adobe from executives to testers and developers" and ultimately led to the permanent changes to Adobe's software security approach, Arkin said. "Everything from our security team's communications during an incident to our security update process to the code itself has been carefully reviewed," he wrote.

All new code and features for Adobe Reader and Acrobat have been put through a Secure product Lifecycle that is similar to Microsoft's much-touted Security Development Lifecycle, according to Arkin. Now, Adobe is working on hardening at-risk areas of its legacy code too, he added.

Arkin also promised that people outside the company "will see more timely communications regarding incidents, quicker turnaround times on patch releases, and simultaneous patches for more affected versions as we move forward."

Security issues with Adobe Reader prompted firm F-Secure to suggest that people should switch to an alternate PDF reader at the RSA security conference last month. Just last month another security hole surfaced in Adobe Reader.