An Update on Staying Up-To-Date

One of the common themes I promote when speaking publicly about software security is the importance of staying up-to-date. Most users who ever encountered a security problem using Adobe products were attacked via a known vulnerability that was patched in more recent versions of the software. This is why we’ve invested so much in the new Adobe Reader Updater that goes into full production with our Tuesday April 13, 2010 release. (For more details on the new updater, see Steve Gottwals’ Adobe Reader blog post titled “Upcoming Adobe Reader and Acrobat 9.3.2 and 8.2.2 to be Delivered by New Updater.”)
We’re also hard at work on ways to better protect our enterprise users in managed desktop environments by collaborating closely with Microsoft to make it easier for Microsoft System Center Configuration Manager (SCCM) and Microsoft System Center Essentials (SCE) customers to import Adobe updates through the Microsoft System Center Updates Publisher (SCUP) and manage their distribution to client computers. We’ll have more details to share later in the year as work progresses.
Given this emphasis on staying up-to-date, we have been fielding questions about why the Adobe Download Center at http://get.adobe.com/reader/ doesn’t always serve the most recent version of Adobe Reader. (For instance, when the April 13, 2010 update goes out, the latest version of Adobe Reader will be 9.3.2, while the Download Center will offer version 9.3.0.) Since the explanation does not fit into the 140 characters of a tweet, let me provide more insight into the reasoning here:
Historically, the decision was based on resource allocation trade-offs and windows of risk. The Adobe Reader Download Center landing page offers more than 70 different full installers representing each supported language and platform pair. Each must be fully tested, and then the Download Center itself must be tested to make sure the correct language/operating system installer is offered to the various browser/language/operating system requests to the site. Despite all of the automation in place, this total effort still represents thousands of person-hours. For a “double-dot” release like 9.3.2, we only produce an update, which does not involve creating and testing full installers. This allows us to get the update out the door as soon as it is available.
The intended behavior of the update mechanism in the product is that it will check for updates the first time Adobe Reader executes after an installation. When everything works as intended, users get updated to the latest version the first time they run the product.
With all of that said, our commitment to protect our users is a key priority for us, and our continued efforts to help close the window of exposure to vulnerabilities is part of that commitment. As I mentioned earlier, the majority of attacks we are seeing are exploiting software installations that are not up-to-date with the latest security updates, which suggests that far too many users are currently not installing the security updates that would protect them. The new updater technology was designed to address part of this problem.
In addition, we are working on making a change to some of the language/operating system versions of Adobe Reader hosted on the Download Center. Starting with the next quarterly security update for Adobe Reader, currently scheduled for July 13, 2010, we will update the Download Center to offer an installer for the latest version of Adobe Reader for the English, German, Spanish, Japanese and French language versions for Windows, and the English version for the Mac. Today, these platform/language pairs represent the overwhelming majority of Adobe Reader downloads. With this change to the Adobe Reader Download Center, we believe we can help even more users get to the latest, most secure release and continue to drive the message of how important it is to stay updated.
We are constantly engaged in security process improvement efforts in order to strengthen the protection for our customers. This includes methods of reducing the window of exposure to vulnerabilities to make sure end-users are rapidly protected against quickly evolving threats as well as stronger controls within the product itself. Therefore, we always follow a strategy to protect the greatest number of end-users as expediently as possible. As we continue to make improvements to the security posture of our products, we’ll continue to communicate dates and details via the ASSET blog.