But I will say this.

Adobe is the most irresponsible company I have seen yet when it comes to updating their products.

Presently (test this yourself):

- Adobe still installs the flawed original release of the product from their website.

- If you try to patch versions right now from inside the adobe reader product, the updater will show a successful patch, the software help/about will show that it patched to current version — but if you run a Secunia scan it will show it as flawed. If you check the version of .exe it shows it as the older version.

- This also occurs with the Standard and Pro 7 versions.

- The Flash updater will leave old versions of the software around in a cute little rename of the older version. One has to manually remove the old flash versions.

- The automatic update feature in Acrobat only will check for updates if the software is started. Not a real great deal if the file that is opened is malware!!

- The Flash auto updater is so terribly inept that it could be weeks before an update is presented to a user. And the process of changing preferences on this updater is not practical.

- Countless other adobe products imbed older (flawed) versions of Flash etc that are never updated through the updater of that software.

All of the above is simply a joke.

So, yea the products are entrenched and hard to replace. But, what Adobe is doing regarding security is one of the most irresponsible things I have ever seen.

- Lars

With Adobe, they’re fixing the ATL issue from Microsoft – being proactive, kinda. But wait… they’re also fixing a large handful of other security issues – it’s a scary list (http://www.adobe.com/support/security/bulletins/apsb09-10.html).

Mozilla has released 9 security bulletins\patches this year – far more than Microsoft has for IE. Does that mean they’re any more secure or less secure? It could mean that Mozilla is more responsive than Microsoft – that they release new versions the moment they identify and fix a security issue. Or it could mean that they’re code really is that bad. (I don’t know, nor will I hasten a guess)

You can track the frequency or releases of one vendor over time for a selected product – that might point to things getting better (fewer releases), or it could mean the vendor is putting a closer eye on things and fixing more items. Either way, I like patches – it means the product is getting better (and hopefully more secure).

As I mentioned in a previous post (http://ericsblog.shavlik.com/2009/06/15/horseshoes-and-hand-grenades/) the larger the number of patches for a given product means more effort must be expended to keep that product updated. It doesn’t speak to the security of the product, only the hassle that the administrator must put up with. (one could argue the relative merits or lack thereof of the auto-update features of many of these products – that’s a blog for a different day).

And finally, “I know John Pescatore and Stephen Northcutt is no John Pescatore!” I don’t believe it’s reasonable to expect an organization to stop using Adobe – recommending abandonment is only moving your eggs into the basket that you don’t know.

How much time and expense is required to switch out Adobe for something else and is that cost proportional to the risk faced by the company? And is this just a costly long term fix for a short term problem?

It all comes back to making good business decisions informed by understanding of information security risks.

Maybe there’s a case for swapping out Adobe products, but my guess is there are more effective, cheaper controls available.

I seems like only yesterday when Gartner told the world to abandon IIS.

Michael

This is a new blog site for us and we’re still working out the kinks in the CSS. I’ll ask that the web team take a look at this. Glad you appreciate the content.

You should consider to use another font color on your text with more contrast, this is quite hard to read.

BTW good blog.

Thanks