Adobe joins Patch Tuesday

Adobe Reader Logo

Adobe is to start a regular patching cycle alongside Microsoft's, after a PDF flaw earlier this year highlighted problems in the firm's security response process.

A vulnerability in PDFs was discovered in February, and only partially patched in March. The full fix wasn't offered until this month, despite the flaw being actively exploited by attackers.

Brad Arkin, director of product security and privacy, wrote in Adobe's security blog that the incident led the firm to examine its security and patching process.

"Everything from our security team's communications during an incident to our security update process to the code itself has been carefully reviewed," he wrote.

One major change is Adobe will now offer a quarterly patching cycle. Previously, it fixed flaws whenever they showed up, but from this summer will start to offer regular updates timed to coincide with Microsoft's monthly patching exercise, dubbed Patch Tuesday.

"Based on feedback from our customers, who have processes and resources geared toward Microsoft's Patch Tuesday security updates, we will make Adobe's quarterly patches available on the same days," Arkin wrote, noting previous patches released on the same day as Microsoft's were just a coincidence.

Adobe said it would also look to "harden" existing base code, to make sure legacy sections are as secure as more recent code, which is subject to more stringent testing than code written years ago.

The firm is also looking to improve how it manages major security problems. "We've targeted several specific areas where we are improving our incident response process," Arkin wrote.

"We expect folks outside Adobe will see more timely communications regarding incidents, quicker turn-around times on patch releases, and simultaneous patches for more affected versions as we move forward."