Over the past year companies such as Microsoft and Oracle have been commended for their vulnerability patching, while another vendor, despite taking great strides in the area, has not been viewed so favourably.
Adobe has often been criticised for its supposed unsecure software, with its PDF files commonly used to host malicious content. I recently met with Brad Arkin, senior director of product security and privacy at Adobe, and got the chance to ask him about some of these issues and the work on securing its software further.
He opened by telling me that the new range of Acrobat services allows sandboxing and will stop features in the PDF from talking directly to the operating system. He also said that since steps were taken to improve patching, it has seen the time taken to issue a patch reduced by 70 per cent.
A new venture is a collaboration with Microsoft on its Assessment and Planning (MAP) Toolkit. Adobe is working with the software giant to roll out information and make robust detections on the same day as a patch is delivered.
This has led to some online buzz around a rumoured acquisition of Adobe by Microsoft. I was told that it was 'a business issue that we cannot speak on'.
What Adobe could talk about is how it is making strides in securing its technology, which led to Arkin's appointment in 2008.
He said: “It is now clear that with the ubiquity of our software comes a great deal of responsibility in order to help our users protect against these threats that are out there. This is not Adobe's policy, it is an industry challenge, so we are working for the things we can do ourselves and also with the industry."
“Our goal is to fix things in a timely manner and our target for patching outstanding bugs is less than 90 days and it is three months on average. So there may be a bug that got reported just after we locked the code and it will be three and a half months before we can ship the patch, but our goal is less than 90 days and the average is less than that, so we are doing a good job there."
“For urgent zero-days, waiting 90 days would not be a good experience so we tend to move much more quickly on those and it depends on when we receive details of it, how complex it is to fix and what kind of product it affects, so for Reader and Acrobat we have to test across 85 different deliverables and cannot afford to bluescreen by cutting corners. If everything is alright, we can patch for Reader in 15 days but sometimes it makes more sense to put it into the quarterly update."
I asked Arkin if quarterly patching was enough and would it consider moving to a more frequent model, such as Microsoft's monthly Patch Tuesday? He said that its assessments has led to cost and frequency being considered, but he felt that as Microsoft is constantly patching, it was a better tactic to do less but on a larger scale.
He said: “For us an urgent situation is if there is attacks or we have seen enough sufficient information to know that an attack would be imminent in the wild, we always take things into account, but the goal is to keep users as safe as possible and take in the cost of rolling out patches.”
Another recent announcement was that the BlackBerry Playbook tablet would feature Adobe products, in particular the two runtime software products Flash and Air. He said that Adobe Air runtime works on Mac, Windows, Android and BlackBerry, while Flash is a plug-in for the browser, as 'people will not accept a stripped down text only web page and Flash is the best for that'.
He said: “For me as the security guy it means it is no longer about Flash on Linux, Mac, Windows, it is Flash Player on Android, Symbian, Mac iOS, so there is a lot of testing to get your patches rolled out and so that is a big challenge. I don't know of any company who has had to address this until now. Everything needs to be kept up-to-date and the good news is that there is working going on to keep things up-to-date but there is still work involved to get the patches out.”
In terms of support, this year saw a major spat between Adobe and Apple, with regards to the use of Flash within the iPhone and iPad Safari browser and applications. Arkin said that applications built with Adobe Air can run on Apple devices and that the topic of Flash on the mobile Safari browser is a business issue, so there are no technology issues there.
He summed this issue up by saying that with Android you have Flash Player running on the device and in the coming months there will be more devices with Flash Player, but from a technology standpoint (for Apple) there are no limitations.
In conclusion I asked Arkin on what his thoughts were on 2010 and looking back, did he feel that it was a year when Adobe had stepped up in terms of security? He said: “We have done a lot of good work and particularly with some of the announcements such as sandboxing, the MAP collaboration and with every release for every product they are getting more secure. We are making changes so what was planned 18 months ago we are starting to see the fruits of this come out, so it has been a very good year for us.”