Adobe decides to put off security patch
Rather than issue an immediate patch for a security flaw in Adobe Reader and Acrobat, the company has decided to wait until their regular quarterly update in January.
Apparently the security hole has been in use by hackers since Nov. 20, although Adobe claims that they didn’t hear about it until Monday of last week. Several security firms have know of the security flaw for some time. Perhaps none of them mentioned it to Adobe, and apparently Adobe had not heard any of the buzz around the problems being experience by the users of PDF files. There are some user workarounds available, according to a ComputerWorld story.
When they did learn of the problem, Brad Arkin, Adobe’s director for product security and privacy said, “We had two options. We could do an out-of-cycle update for this one vulnerability, and get out something as fast as we could, or try to work it into the Jan. 12 release.” It was apparently determined by Adobe that it would be too much trouble to do the former. Arkin said that if they had pulled engineers into the Reader/Acrobat patch job, Adobe would have had to push back the already-scheduled Jan. 12 update into at least February.
Arkin said that he could not see any other choices. It was not possible to find some third option which would have gotten users the PDF file patch immediately but not delayed the rest of the contents of the regular quarterly. Arkin said, “With a lot of work over the holidays, we decided we could get the patch into the code base for the Jan. 12 release, and still make that.”
In some ways it seems negligent to delay the fix for a known security flaw which is being actively exploited. It does not seem to be the most ethical of decisions, and one must wonder what the user base would think about it if it were allowed to vote. It is the users who are at risk because of an error in Adobe’s code, but the decision is all being made around resources and money instead of about user data concerns. It does not seem right, but it has unfortunately become the way things are done.
Related Posts:
December 21st, 2009
patching a known exploited flaw should have come before some nebulous “scheduled” update.