Follow-Up to Threatpost Live Chat

I sat down for a live chat session moderated by Dennis Fisher from Threatpost on Wednesday, February 24, 2010. I was impressed with the turnout and the number of great questions. Thanks again to everyone who participated. The transcript from the live session is here. I didn’t have time to get to all the questions I wanted to answer, so I’ve posted some of the overflow Q&A here:
Q: Has there been any consideration given to releasing a “light” version of Reader supporting a reduced feature set with a formally specified subset of the PDF ISO spec?
A: Adobe is exploring some ideas, but we are not currently actively working on a “light” version of Adobe Reader. Adobe continues to drive innovation in PDF products and services through active involvement in the ISO 32000 working group and through products like Adobe LiveCycle, Adobe Reader and Acrobat.
Q: Having msi installation packages for Flash and Shockwave is great, why not for Reader?  It would make it easier to deploy updated versions.
A:  We do offer “msi” installation packages of our full installers. When we deliver patches, those come in “msp” format.
Q: Has Adobe considered having JavaScript turned off in Adobe Reader by default?
A: End-users can disable JavaScript in Adobe Reader. But, just like disabling JavaScript in Web browsers, doing so also disables the functionality of legitimate content, such as PDF forms. We have introduced an approach that gives customers more control and allows them to mitigate risk without giving up critical functionality.  Adobe Reader supports the JavaScript Blacklist Framework, a much more granular approach that provides control over specific JavaScript API calls as opposed to simply turning all JavaScript functionality off.
Q: If you are willing to work with partners for distribution of patches, how about Microsoft and WSUS? Do you have a way of pushing updates from a local server within the organization instead of all workstations needing to connect to Adobe, like Microsoft WSUS server?
A: Today, enterprise customers typically disable the update mechanism built into the product and use their own enterprise tools for deploying our updates (which we make available to them from the support download section of our Web site). Microsoft and Adobe are working closely together to help improve the software update experience for our mutual customers. Through this collaboration we hope to make it easier for Microsoft System Center Configuration Manager (SCCM) and Microsoft System Center Essentials (SCE) customers to import Adobe updates through the Microsoft System Center Updates Publisher (SCUP) and manage their distribution to client computers. When we have final details on this process, we will share them with our customers and the media, but for now, we have nothing to announce.
Updated response with more detail – March 17, 2010
Q: What are Adobe’s plans to make people feel more comfortable with their products–it seems to me that there is a perception (whether it’s true or not) that Adobe has not been on the ball with their updates.
A: We hope that through our increased efforts at transparency into our software security efforts we can help people outside Adobe understand our dedication to making our products as safe and secure as possible to use. After retooling our response processes in early 2009 we were able to respond within two weeks for four urgent incidents later in 2009. Our shift to quarterly security updates for Adobe Reader and Acrobat also gives our customers a predictable and regular security patch schedule for mitigating responsibly disclosed incidents.
Q: How often are your internal reviews and the consultants you hire finding new flaws, relative to the ones that we see reported elsewhere?
A:Our internal security processes, including the use of external consultants, are focused on preventing vulnerabilities in the end software that we ship to customers. We’ve found the most effective way for us to do this is by front-loading our efforts on early-phase security reviews and activities such as threat modeling, specification/design reviews, and other activities from our SPLC. The output from these activities are helping us to make sure that every release raises the bar for security.
  
Q: The Security Bulletin “Security update available for Adobe Download Manager” contains incorrect information on removing a Service in Windows. There is no way that a Service can be deleted from the Services Console in Windows.  One must edit the registry’s CurrentControlSet to remove a Service.
A: Thank you for pointing out this error. We have updated the Security Bulletin text, and apologize for any confusion.
Q: Any chance that Adobe will ever make their products updatable by non-admin users on the Windows side?  Deploying a new Adobe MSI every week is getting pretty old.
A: Adobe Flash Player requires admin privileges to install at this time due to the current installation location and need to update certain keys in the registry. We have been installing this way for years, but we welcome feedback and votes for this feature request. For Reader, the user has to be Admin for Windows Installer Service to install full installers (MSIs). On Vista and W7 it is possible that Windows Installer Service will allow to apply Patches (MSPs) without elevation under several conditions. Our new Reader/Acrobat updater will allow users to install without being Admin on Vista or Windows 7 systems.