After Attacks, Adobe Patches Now Come Faster

Hackers like Adobe Systems, and now the company knows it all too well.

Adobe’s software has increasingly come under attack in recent years as hackers have come to realize that it can be easier to find flaws in popular software that runs on top of Windows than to dig up new vulnerabilities in the operating system itself.

That’s led to a round of new attacks that exploit bugs in products such as Adobe’s Reader, Apple’s QuickTime, and the Mozilla Firefox browser, for example.

It’s a reality that Adobe Chief Technology Officer Kevin Lynch freely acknowledged Monday in a press conference at the company’s annual Adobe MAX developer conference, held in Los Angeles.

“We have absolutely seen an increase in the number of attacks around Reader in particular, and also Flash Player to some extent,” he said. “We’re working to decrease the amount of time between when we know about a problem and when we release a fix. That used to be a couple of months; now it’s within two weeks for critical issues.”

For Adobe this new reality became clear around February, when the company’s Reader and Acrobat software was the target of a widespread attack. The volunteer watchdog group Shadowserver Foundation started sounding the alarm about the problem on February 19. And though security experts later determined that it had been exploited by attackers since early January, Adobe didn’t end up patching its bug until March 10. It took two more weeks for the company to patch all of its supported platforms.

It was a public relations disaster for the company, whose sluggish response was pilloried by security experts.

Adobe Director for Product Security and Privacy Brad Arkin says the problems spurred good things, though. “We used that experience to help understand where the bottlenecks were and what process changes we could implement to improve our response time,” he said in an interview Monday.

In May, Arkin announced that the company would take new steps to stress-test its software, and improve its response-time to security incidents.

Now Adobe releases regularly scheduled security software updates (the latest is due next week) like Microsoft and Oracle, but if it needs to rush out a patch, it can do this much more quickly than before.

Adobe posted emergency patches in May and again at the end of July, both of which took about two weeks to turn around, Arkin said. “The turnaround for these things is something that has been a real focus,” he said.

“We understand that given our wide distribution base we’re going to be a target,” Arkin added. “These types of software patches are going to be a fact of life for us.”

(James Niccolai in Los Angeles contributed to this report.)