Forgot your password?
typodupeerror
Security IT

Adobe May Change To Monthly Patch Cycle 76

Posted by timothy
from the are-you-on-the-patch? dept.
Trailrunner7 writes "Adobe, which has been under fire for the security of its flagship products, Flash and Reader, for some time now, may be on the verge of changing its patching process to push fixes out on a monthly schedule, which would coincide with Microsoft's monthly Patch Tuesday releases. The change would be the second major adjustment to Adobe's patching process in the last year or so. In 2009 the company moved to a scheduled quarterly patch release process in an effort to give its customers a better chance to plan for testing and deployment. That change was generally well-received. Now Adobe may change the schedule again in order to get patches out more quickly. The company is considering releasing its security fixes for Reader on a monthly schedule, the same day that Microsoft releases its patches."
This discussion has been archived. No new comments can be posted.

Adobe May Change To Monthly Patch Cycle

Comments Filter:
  • by Silly Man (15712) on Thursday May 27, 2010 @03:43PM (#32367018) Homepage Journal

    But will they stop placing that stupid icon on our desktop during every single update?!

    • I hate that too! It seems like I'm deleting the Acrobat Reader icon and shortcut every other day. I've submitted a bug report to Adobe three times already about that.

      • by Silly Man (15712)

        In America, You get Adobe Icon. In Soviet Adobe, Icon gets you!

        • It's because the maroon's at Adobe confuse "update" with "full install, including a bunch of other non-Adobe Reader stuff like Adobe AIR".

      • Re: (Score:3, Interesting)

        look at what others do to avoid that pitfall.
        http://www.appdeploy.com/packages/detail.asp?id=1328 [appdeploy.com]

        • by DrVomact (726065)

          look at what others do to avoid that pitfall. [link]

          I don't get it. The link directs me to some commercial site that sells (I assume) something or other. A short explanation of what I'm supposed to look for or what this does seems indicated.

      • by hairyfeet (841228)

        Have you tried Foxit [foxitsoftware.com] PDF Reader? It's free, they seem to get patches out more quickly, often on the same day an exploit is announced, they use a separate light and more locked down PDF reader for Firefox to help make web based PDFs less of a security risk, and they aren't a bloated mess like Adobe.

        If you decide you want to try it I would get it through Ninite [ninite.com] as Ninite is a single click online unattended installation, has dozens of apps that you can install in any combo you choose, has all the ones friends/

    • Of course not... They want more visibility, even at the cost of being annoying....

    • Re: (Score:3, Informative)

      by Skuld-Chan (302449)

      No - because your essentially reinstalling the product. You can use customization wizard (free download on their site) to build a modified install so you never see that icon again ;).

      • Re: (Score:1, Insightful)

        by Anonymous Coward
        And every other full install on the planet can ask if I want a desktop icon except Adobe?
      • by Trashman (3003)

        Thanks for mentioning it and not providing a link [adobe.com]

      • by teridon (139550)

        That "Wizard" is practically useless -- the updates for it lag so far behind the Reader releases that half of the functions (like removing the icon from the desktop) stop working. For example, the function to prevent the creation of the desktop icon no longer works.

        I've found it more reliable to script the installation, removing the desktop icon using the script (%ALLUSERSPROFILE%\Desktop\Adobe Reader 9.lnk or %PUBLIC%\Desktop\Adobe Reader 9.lnk)

    • Thank you, thank you, thank you. One of the most insightful first posts I've seen in awhile. I've been complaining about this for years!
  • Great! (Score:3, Insightful)

    by leonardofelin (1211778) on Thursday May 27, 2010 @03:46PM (#32367068)

    Now I won't know whose patch messed up my computer after the update...

  • I don't get the feeling malware authors are going to be negatively affected in any way.
  • by AriesGeek (593959) <aries.ariesgeek@com> on Thursday May 27, 2010 @03:47PM (#32367098) Homepage Journal
    Seriously, Adobe, why do I have to reboot after updating your damn user-land software? I can even install some OS patches without rebooting!
    • by PalmKiller (174161) on Thursday May 27, 2010 @03:54PM (#32367206) Homepage
      You don't, just tell it not to reboot, and the new version will work fine until you decide to do the reboot
      • by BitZtream (692029)

        Because any number of apps may have hooked into the adobe DLLs to use various bits from them and its rather difficult (not impossible) to figure out which apps those might be and give you some info about them.

        Also in reality, most users won't know what to do so rebooting is a fine alternative for the computer ignorant.

        It amazes me that slashdot has so many users who will tell you much they know about system administration and programming, but don't understand the concept of dependencies

        • by drinkypoo (153816)

          Because any number of apps may have hooked into the adobe DLLs to use various bits from them and its rather difficult (not impossible) to figure out which apps those might be and give you some info about them.

          That's a stupid argument, and slashdot is stupider for it. The OS knows exactly who is using what DLL. It would be a triviality to terminate all such processes, and it ought to be safe, too, since the OS doesn't use any Adobe DLLs. Give the user a chance to quit any which have a GUI, which is also trivial to find out (are they in the window list?)

    • Re: (Score:1, Interesting)

      by Anonymous Coward
      You almost never do have to. But the people writing the patch just use a standard MSI constructor that has the "requires reboot" flag bit turned on by default. Because the people in charge of the patch are not experts in the MSI system the don't fiddle with it.

      I am quite sure that there are lots of options that are just left on because it is less effort to not touch them than to figure out if it is really needed.

      On the other hand there it might be an effort to avoid issues with those less computer s
    • by h4rr4r (612664)

      Probably because windows cannot replace files in use. I know in 2010 that seems crazy, but there it is.

      It is easier to make you reboot than to make sure nothing has any of their files open.

  • stop using adobe (Score:2, Insightful)

    by fatbuckel (1714764)
    stop using adobe.
  • by Idiomatick (976696) on Thursday May 27, 2010 @03:57PM (#32367248)
    You know you suck when your company is playing catchup with Microsoft on security and patching.
    • by PsychoSlashDot (207849) on Thursday May 27, 2010 @10:56PM (#32371584)

      You know you suck when your company is playing catchup with Microsoft on security and patching.

      Seriously. I don't like to swear much on Slashdot, but I'd like to tell Adobe "fuck you!"

      This isn't about an operating system. It isn't even about a productivity suite like Office. It's a reader. Stop patching every damned month and secure the bastard. Right now. One patch and you're done. I do not condone any corporate plan to regularly trickle out tiny fixes here and there when they're discovered because that's Good Enough. It's not good enough.

      Adobe needs to change their product plan.

      Adobe Reader - views PDFs and that's it
      Adobe Reader Pro - views PDFs, has all the scripting and form-filling features that are vulnerable and buggy
      Adobe Acrobat - makes PDFs

      Strip Reader down to as few features as possible. We know that 99% of what Reader is used for is flat basic text reading. So either make a product that does that and only that, or at least make a MODE where turning on all the other features for X minutes requires a UAC-style prompt.

  • by Anonymous Coward

    Hey !! Adobe !, if you insist on following Microsoft's example of distributing crappy software with even more crappier default settings, then please arrange we can update the crap via WSUS as well. your own distribution tools S U C K !

  • Full installer (Score:3, Insightful)

    by Nimey (114278) on Thursday May 27, 2010 @04:07PM (#32367388) Homepage Journal

    How about releasing a full installer of the latest revision, instead of this idiocy where we have to download 9.3.0 from their website and then manually tell it to install 9.3.2? It can't be /that/ hard.

    • by BitZtream (692029)

      How about hireing some developers with a clue.

      How about not putting features in a DOCUMENT format that aren't needed.?

      If they want to make PDF do everything that HTML will they'll quickly find people will just send self contained HTML files instead. Why this isn't done now is simply because no one has bothered to make an HTML editor that doesn't fucking suck.

    • by teridon (139550)
      I agree, but you can work around this using the command line.  (I know, it sucks to have to do this!)

      Download the full MSI installer for 9.3.0, plus the patches for 9.3.1 and 9.3.2 (etc) from ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/

      Then, install with:

      msiexec /passive /i AdbeRdr930_en_US.msi PATCH=AdbeRdrUpd931_all_incr.msp;AdbeRdrUpd932_all_incr.msp
      • by Nimey (114278)

        Neat. Nitpick, though: 9.3.2 will apply directly to 9.3.0, so you don't need the intermediate step.

        • by teridon (139550)
          I did not know that, thank you.  I didn't bother testing only applying 9.3.2 --  I just tacked the extra patch onto the end and it worked, so I left it at that.
  • I have spoken to a number of heads of IT about security. They seem to really hate Firefox with a strong passion.

    Why? Because they don't inform admins ahead of time if there will be a new patch coming out soon. They release security updates with no warning or set schedule (so admins have to scramble each time there is a new security patch). With IE (via Windows' patch Tuesdays) and now Flash/Reader having a set schedule, Firefox will be the only commonly used software that doesn't have a scheduled security r

    • by Drew M. (5831)

      Because it's too difficult to quickly Google their release schedule which gives you upcoming notice of a release? https://wiki.mozilla.org/Releases [mozilla.org]

    • by Nerdfest (867930)
      Doesn't FireFox release patches as soon as they are available? Why would you force someone to wait for an update? Don't force them to install it, but don't make them wait either.
      • This makes sense for home users, however, for enterprises, they like complete control over rollout of patches. The risk of a patch causing problems that impact the business could be very costly and is avoided at all times. IT Departments like to have the patch and test it internally to ensure there is no impact to the business before rolling it out. Also keep in mind that in many enterprises, the end user doesn't have admin access and can't apply the patch anyways.

        • by h4rr4r (612664)

          Which means the admins just need to have a test machine for this. It seems more like lazy admins than anything else.

          I run and test lots of stuff when the update alert comes out from their mailing list.

        • by hairyfeet (841228)

          So why not simply turn off Firefox updates and use the group Policy friendly Frontmotion [frontmotion.com] Firefox build? It supports Group Policy Objects and AD, you can even use their MSI packager service to "roll your own" with whatever settings you choose.

          I may be a Windows guy, but one of the things I like about FOSS is if there is a problem, somebody will often take the code and find a solution.

      • by Stray7Xi (698337)

        Doesn't FireFox release patches as soon as they are available? Why would you force someone to wait for an update?

        Predictable structure when trying to maintain SOP/audits/compliance. A fully patched IE with a critical bug is just fine from a policy perspective and is easy to maintain with scheduled patches (Tuesday is good). Firefox releasing a patch on a friday makes for unhappy admin who would prefer to push it off until after their weekend.

    • by Culture20 (968837)

      I have spoken to a number of heads of IT about security. They seem to really hate Firefox with a strong passion.

      Heads of IT as in managers, CIOs? Or heads of IT as in Senior Sysadmins? Most sysadmins don't mind scrambling when it means security is being increased. Most managers hate scrambling because it means overtime, and because they look bad because they aren't managing their people's time appropriately. In short, your "head of IT" friends are pointy haired bosses who don't like change.

      FYI, as long as you know what you're doing, updating firefox on windows remotely for X machines doesn't require a mad scram

  • I am an IT and these update are PAIN IN THE ASS. Personally, I am tired of updating every single piece of software I use individually BUT it is very bad for my customers. 1. Most of them include crap like Norton scan, toolbars and other badware. 2. The majority of my customers require older version for their manufacturer system to work (old java, old acrobat reader, IE7 or less, ...) so when they do update (because they are harassed to do it) their software stop working. After that they are afraid to updat
    • Re: (Score:3, Insightful)

      by Pharmboy (216950)

      Can't Microsoft put their foot down and ask anybody who want to do update to work with them ?

      Oh yea, MS should put their foot down and tell them "if you want your 3rd party program to be installed on customer's computers, you have to go through us. No more 3rd party applications installed unless it is through us or at least done our way". No, that wouldn't perk up the DOJ. And I'm sure that everyone on /. and every other blog would say "yes, that sounds like a good idea".

      Once they did that, the thread on

      • by h4rr4r (612664)

        They could fix their update mechanism though. Windows sure could use a repository based update system, the user/admins could add any other repositories they wanted even internal ones. Another big fix would be allowing files that are open to be replaced, so that updates do not always require a reboot.

      • Re: (Score:3, Interesting)

        by gad_zuki! (70830)

        Well, Adobe could release plugins for the new version of WSUS and admins can simply approve them like they do MS patches in WSUS. Or at least change their updaters so they make some sense. I just installed Acrobat 8.0. The updated proceeded to install:

        8.0.1
        8.0.2
        8.0.3
        8.1.0
        8.1.1
        etc
        Almost each asking for a reboot.

        Instead it should have downloaded the update straight to 8.2 or whatever the current version is and then done the incremental to 8.2.3.

        Lastly, they need to disable javascript by default in reader. U

      • Microsoft have the right to ask that every automatic update as to be pushed by them, since they are always pointed when PC have bug or security risk.
        What about you ask for update when the customer launch your software or else you use WU. Many hardware manufacturer started using WU for updating device drivers and it is working very well.
        You code for Windows, you work with Microsoft this way admin can choose what to apply and what to refuse and you stop bugging the end user.

        BTW third party updates are o
        • by Pharmboy (216950)

          So Google and Firefox should have to use Windows Update? Perl, Cygwin should too? This is patently absurd. Perhaps then Microsoft could just say "No, we don't like you, so no updates from our servers, which means no updates".

          These companies don't "code for Windows", they write software that runs on multiple platforms, such as Linux, OS X and Windows. They don't need to "work with Microsoft" because it isn't Microsoft's fucking business, only the operating system is. They are COMPETITORS to Microsoft.

  • I think Adobe deserves a little credit here. Increasing the frequency of commercial software releases is not trivial. They are aware of their vulnerabilities and quality issues. They genuinely want to make their software better, and they want those improvements available to customers sooner.
    • by cusco (717999)
      If the genuinely want to make their software "better" then why do they always erase the settings that I've saved and overwrite them with their defaults again? Why do they insist that I first download their ^%&$*#) proprietary download software (which then wants to take over all my future downloads) rather than use http or FTP like every other frelling software vendor? If they want to make "better" software why do they release it when they KNOW about security holes? What is "better" about Acrobat Read
      • > My loathing of Adobe is almost boundless.

        Yet you continue to use their software.

        • by cusco (717999)
          No, I don't. I just frequently encounter it on customers' servers, and when I can I uninstall it and put FoxIt or something else usable that doesn't have truck-sized security holes in it.
  • The last sentence in the summary is a repeat of the beginning of the paragraph. Further, the second-to-last sentence is unnecessary - the information there (that the previous quarterly patches were also on microsoft patch tuesday) can be easily added to the sentence before it.

    Not that I expect well-written summaries here (and let's be honest, most people don't even read the summary in its entirety, much less TFA) but this is pretty bad.

  • by haplo21112 (184264) <{moc.anhtipe} {ta} {olpah}> on Thursday May 27, 2010 @04:38PM (#32367920) Homepage

    Adobe patches are crap in general.
    1. They usually take the form of nearly complete product updates, patches 80% of the size of the installed product are common.
    2. They currently only rarely issue roll-ups so you end up in the you have to have 9.3.1 base, then install 9.3.2 patch , then install 9.3.3 patch can't jump from 9.3.1 directly to 9.3.3

    This sort of stuff drives the guy at my company in change of Adobe software deployments insane. For a new machine install it takes forever as each individual patch is installed by the software deployment system.

    • by DrVomact (726065)

      Adobe patches are crap in general.

      Please mod parent up; this is a lapidary summary, and nothing more need be said.

      Of course I'm going to say more. I have a lot of emotional trauma that requires venting. Trauma inflicted on me by Adobe. In fact, it's not just the patches, it's the apps themselves I hate. And I hate Adobe's executives, their dogs, wives, children, houses, golf clubs, and the mothers that gave them all birth.

      I have actively distrusted Adobe for several years, ever since they snuck in a stealth updating mechanism (it's called

  • just put them windows / MS update

  • by uremog (931065)
    I do not look forward to "that time of the month" when my PC bleeds Adobe out of its port.
  • In addition to MS patches and girlfriend's problems, this is another monthly problem I don't look forward to dealing with. Who am I kidding? This is slashdot. I don't have a girlfriend. But I'll tell you what, my mom's aim is better than normal when she's throwing things at me from top of the basement stairs once a month.

  • ...and the second Tuesday of the month can become a national holiday for everyone except IT (and Free Software users). The next step will an act of Congress declaring the Monday before the second Tuesday of the month to be Patch Tuesday so as to create a three day weekend.

  • Hasn't anyone else noticed that the last few big adobe patches were on MS patch Tuesdays?
  • When a patch goes wrong or breaks something you'll have to do more work to figure out whose patch just broke your machine.

  • Awesome! (Score:3, Funny)

    by drfreak (303147) <dtarsky@NOSpAM.gmail.com> on Thursday May 27, 2010 @09:02PM (#32370858)

    Adobe exceeds expectations again with upping the frequency of the updater we all know and love.

  • ... motivating software engineers (by loss of MONEY) who release things that have big ass security bugs in them in the first place. And put up a scoreboard of the engineer with the most stupid bugs for all to see.

    "We have gone X days without an exploit." - just like the safety signs in factories. Since after all, it is software safety we're talking about here.

Money will say more in one moment than the most eloquent lover can in years.

Working...