News

Microsoft and Adobe Collaborating on Security Patches

• By Jabulani Leffall
• March 16, 2010

Microsoft and Adobe are working together on the security patch process, possibly leading to Adobe issuing patches via Windows Update.

Microsoft confirmed the collaboration, saying that it is "currently working with Adobe to develop solutions to improve the software update experience for our mutual customers," according to a statement released this week. However, a Microsoft spokesperson wouldn't specify a timeline or the nature of the collaboration. "As there is still more work to be done, we do not yet have anything solidified and will share more later," the spokesperson said.

For its part, Adobe hinted at a Microsoft collaboration in an online Q&A held late February. In response to a question about whether Adobe would consider working with partners for patch distribution, Adobe's Brad Arkin said, "We are working very closely with Microsoft for SCCM/SCUP/WSUS integration, which is targeted to happen before the end of the year."

Arkin added that enterprise customers typically disable built-in update mechanisms and "use their own enterprise tools for deploying our updates."

The Microsoft spokesperson stressed that the collaboration focused on enabling Adobe's updates through Microsoft's System Center management products.

"We are supporting Adobe's efforts to create updates that can be more easily deployed through the update management features of System Center Configuration Manager (SCCM) or System Center Essentials (SCE)," the spokesperson explained in an e-mail.

Closing the Patch Gap
Presumably, Adobe is seeking a partnership with Microsoft so that Windows enterprise IT administrators will take the company's updates more seriously, particularly as vulnerabilities proliferate across Adobe product offerings.

Adobe has arrived at a critical juncture in addressing vulnerabilities in its software. From late 2009 to early this year, exploits in Adobe programs have become so plentiful that Adobe began timing its patch releases to come out on the same Tuesday as Microsoft's own patch rollout.

Security observers say Adobe is attempting to close the patch gap, but that an alliance with Microsoft won't necessarily make things easier for IT administrators who must still contend with hackers eager to test new patches.

"I wouldn't be surprised if Adobe were to try to push for a closer collaboration with Microsoft," said Don Retallack, an analyst with Directions on Microsoft. "Of course, the difficulty with such a proposition is that you have to keep things under wraps until the update, and this is a difficult thing to do. But collaboration, at least in theory if not in practice, would be a good idea."

Adobe's update methods, noted nCircle Director of Security Andrew Storms, have a lot to be desired. He added that there is still "a lot of demand in their customer base for something more streamlined and less bloated."

"Opening up Windows Update to third parties would help get important security updates distributed, but there is a real risk to Microsoft's solid reputation," Storms said.

In particular, Storms is skeptical of what such a collaboration would mean strategically for Adobe and Microsoft's other competitors.

"Microsoft has too much to lose and very little to gain in that equation. The only way I could ever see it working is if key vendors adopted and passed Microsoft's strict quality-control program," he said.

Best Practices Shouldn't Change
Nancee Melby, director of product marketing at Shavlik Technologies, agreed, adding that Microsoft is no longer the lone target of cybercriminals intent on stealing sensitive information.

"Adobe, with its plethora of security flaws, has a big red target painted on it," she said. "Adobe is nearly as ubiquitous as Microsoft and the capabilities of Reader and Flash rival that of browsers like IE and Firefox. Adobe is the new dream target for today's cyber hacker."

Still, Melby thinks a Microsoft-Adobe collaboration would do little to deter hackers, even though the work the two companies are doing "does have the potential to have a positive impact on how secure IT administrators can make the systems on their networks."

There is also the question of the bandwidth needed to handle the patching of third-party applications. Managing an entire patch slate on hundreds or even thousands of workstations can be cumbersome. To that end, Melby said best practices for patching shouldn't change regardless of what the distribution points are.

"The vendors still owe their customers some due diligence," she said. "Microsoft has a fairly mature patch process but many third-party vendors such as Adobe need to provide structure. They need to make their research available. They need to provide viable and actionable workarounds. And finally, they need to go out-of-band when there is an exploit in the wild."