We’ve written about Adobe’s Acrobat and Adobe Reader software, which are commonly used on the Mac, and which have been found to have a number of security issues over the years. We’ve lamented – as in this case – the time it takes for Adobe to get its security updates released, and even gone as far as suggesting that Mac users avoid using Adobe Reader and switch to Apple’s Preview as a PDF viewer to avoid exposure to dangerous security issues.
Well, Adobe has posted some information about new security initiatives. The company is planning to improve security in three ways: through code hardening, incident response process improvements, and regular security updates. While point two mentions “quicker turn-around times on patch releases” – because one criticism of Adobe has been the delays in getting security updates out to the public – point three seems a bit odd. Under “regular security updates”, Adobe says the company will “release security updates for all major supported versions and platforms of Adobe Reader and Acrobat on a quarterly basis.” In other words, there will be grouped security updates every three months, and not as needed. This means that between the time a vulnerability is found and an update is released, users may have to wait three months (actually a bit more; given the time that it takes to create and test an update, a flaw found in the last two weeks of any cycle probably won’t get patched on the next update issuance date).
While Adobe is trying to reassure its enterprise customers, especially by announcing regular “patch Tuesdays”, a la Microsoft, we Mac users may feel this is a ludicrous idea. Only issuing security updates every three months is hardly the type of responsiveness that Mac users want to see from software vendors. We’re actually more concerned now than before, and reiterate our recommendation that you should avoid Acrobat Reader unless there is some compelling reason for you that it is better than Apple’s Preview. While Preview has had security issues, there seem to be far fewer than with Acrobat’s PDF tools. If you need to edit PDFs, Adobe Acrobat is hard to replace; you should be attentive, and only use it on PDFs whose provenance you are aware of.