Security firm blasts Adobe patching process
By Stewart Mitchell
Posted on 14 Aug 2009 at 16:20
Four out of five internet users are still vulnerable to a critical Adobe Flash flaw two weeks after it was discovered, according to a report from security company Trusteer.
According to the research, which polled 2.5 million Rapport browser security service subscribers, the flaw "may be the biggest security hole on the internet today, since 99% of internet users are using Flash in their browsers".
Flash is considered an ultra efficient platform for distributing malware because software is found on 99% of computers, compared to only 65% for Internet Explorer and 35% for Firefox.
Yet 80% of respondents were running outdated and unpatched versions of Flash, while 84% were running a vulnerable version of Acrobat.
Adobe is facing some major security challenges and one of its biggest hurdles is its software update mechanism
While the onus remains on users to update their software packages, Trusteer blames Adobe's software update process for the delay in protecting computers.
"Adobe is facing some major security challenges and one of its biggest hurdles is its software update mechanism," says Mickey Boodaei, CEO of Trusteer. "For some reason, it is not effective enough in distributing security patches to the field.
"Given the lack of attention this situation has received to date, it appears that few people understand the magnitude of the problem."
Adobe says it has done everything necessary to ensure the update was rolled out as quickly and widely as possible.
"We treat any potential security threat against all our products as a top priority," the company told PC Pro . "Delivering product updates to users in a timely manner is only part of an effective security response – users also need to install the updates to be protected."
The company also says it publicised widely the updates and configured the Adobe servers to notify Flash users of the update and programmed the Adobe Update Manager to push the latest updates.
From around the web
I must admit this mystifies me. I always manually update Adobe products because I don't recall ever being asked to install an update. I would never find out about these updates if I didn't read the tech press and check manually from time to time.
By c6ten on 14 Aug 2009 
c6ten
You can set the update frequency at:
http://www.macromedia.com/support/documentation/en
/flashplayer/help/settings_manager05.html
Flash does seem to be the work of the devil......
By davidsoap on 15 Aug 2009
Adobe is trying its best
In my opinion, Adobe is doing a great job issuing security updates for all of its products in such a short time. Why are people being so hard on them? It is up to people to install the updates themselves. Yes, Adobe could provide a better automatic update mechanism, but then people would moan “I really don’t like how Adobe is silently updating the software on my PC.”
So I don’t think there is a way to please everyone. My advice is to check
http://blogs.adobe.com/psirt/
regularly for news about updates and install all the security updates for any Adobe software you have. Finally, stop being so negative about a company that is really trying its best.
By Jimbo762 on 16 Aug 2009
c.f. http://news.cnet.com/8301-27080_3-10304455-245.htm
l
By Doddie on 16 Aug 2009
Adobe is trying its best
@Doddie: I read that article on CNet the day after it was written. I was aware that Adobe has something to learn from Microsoft, they are writing an Adobe and Microsoft co-authored blog at http://blogs.msdn.com/sdl/
Adobe is learning how to make its software more secure by incorporating elements of Microsoft’s SDL (Secure Development Lifecycle) into its own software.
I think they should be applauded for doing this. Its shows Adobe is responding to the problem of its ever increasing exploitation of its software.
By Jimbo762 on 17 Aug 2009
I would have more sympathy for them if their update packages would remove the previous versions and not need me to download a specific Flash removal tool to get rid first (and reboot) before I go get the latest version.
And if the latest download of Adobe Reader actually were the latest version - it wasn't - Secunia PSI alerted me it was still behind, so I made Reader look for updates to the software I had downloaded 5 mins ago - and Reader found a patch for itself.
By AdrianB on 18 Aug 2009
Adobe is trying its best
@AdrianB,
The only reason I can think that your Adobe Reader version did not update was that you turned off automatic updates in Adobe Reader. Also, Adobe Reader will only auto update when you open the program or view a PDF (either stored on your disk or by clicking a link to a PDF online) and have a connection to the internet. Otherwise, the updater will kick in and most people won’t notice it in the system tray beside the clock with an error message saying that no internet connection is available.
You don’t need to uninstall Flash Player or Shockwave Player using the Removal (Uninstall) tools. Just go to the Add/Remove Program applet in the Control Panel and remove them from there with no reboot required. Then go online and install the new versions. Simple. I have been installing and uninstalling Flash Player and Shockwave Player like this for years on both XP and Vista and have never had a problem.
As I said, check the blog at
http://blogs.adobe.com/psirt/
for notices of security updates and install them when they are announced. I don’t think it is asking too much to click on the link to the blog from your browser favourites and then install any updates they are mentioned since the last time your checked the blog. It takes me only a few seconds a week to do this. Alternatively, check the security advisories page at
http://www.adobe.com/support/security/
regularly.
If you want to stay secure with the latest versions of Adobe software, a small amount of effort is required. As I said, if Adobe automatic update was more automated and installed updates for Flash, Shockwave, Adobe AIR, Adobe Reader and Adobe Acrobat without asking by default, it wouldn’t win many people’s opinion. Perhaps if email notifications of updates could be sent by Adobe would work? But then you need to rely on people adding the address from which Adobe would send email from to their address books to prevent it being marked as spam. Also, are people going to believe the emails they receive since they contain advice to update your software and click on the link here to do so? It is very possible people would mistake these for fake security alerts or other false messages.
See what I mean about there not being an ideal solution to how Adobe lets people know about updates and how they are installed (see my first post above about this). Which is why Adobe use the method they do.
Honestly, I just wish everyone would stop complaining about Adobe updates, install them using a technique of their choice and enjoy the benefits of a more secure computer.
By Jimbo762 on 19 Aug 2009
advertisement
- How to install Internet Explorer 9
- Maintaining and supporting IE9
- Plan your deployment
- Creating a custom browser package
- Search in corporate environments
- How tech loosens our grip on reality
- Hokum watch: Safer Internet Day
- Why I'm deleting Adobe from my PC
- Prepare to be patronised: it's Safer Internet Day
- Dear Sony, Samsung and every other tech company in the world: stop trying to be Apple
- Will Apple's Final Cut Pro X update placate the pros?
- Smartr Contacts for iPhone review
- Switching to Office 365's Outlook Web App
- Amazon Kindle Fire review: first look
- Lytro light-field camera: first look
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
- Can you send a truly anonymous email?
- Is it safe to send bank details over email?
- Sainsbury's Bank bans password storage
- MobileMe triggers credit card blocks
- How to stay safe against session hijacking
advertisement
Printed from www.pcpro.co.uk