Adobe May Change To Monthly Patch Cycle

Trailrunner7 writes "Adobe, which has been under fire for the security of its flagship products, Flash and Reader, for some time now, may be on the verge of changing its patching process to push fixes out on a monthly schedule, which would coincide with Microsoft's monthly Patch Tuesday releases. The change would be the second major adjustment to Adobe's patching process in the last year or so. In 2009 the company moved to a scheduled quarterly patch release process in an effort to give its customers a better chance to plan for testing and deployment. That change was generally well-received. Now Adobe may change the schedule again in order to get patches out more quickly. The company is considering releasing its security fixes for Reader on a monthly schedule, the same day that Microsoft releases its patches."

STUPID ACROREAD ICON

[Silly+Man]

But will they stop placing that stupid icon on our desktop during every single update?!

Re:STUPID ACROREAD ICON

[Jogar+the+Barbarian]

I hate that too! It seems like I'm deleting the Acrobat Reader icon and shortcut every other day. I've submitted a bug report to Adobe three times already about that.

Re:STUPID ACROREAD ICON

[King+InuYasha]

Of course not... They want more visibility, even at the cost of being annoying....

Re:STUPID ACROREAD ICON

[Silly+Man]

In America, You get Adobe Icon. In Soviet Adobe, Icon gets you!

Re:STUPID ACROREAD ICON

[Skuld-Chan]

No - because your essentially reinstalling the product. You can use customization wizard (free download on their site) to build a modified install so you never see that icon again ;).

Re:STUPID ACROREAD ICON

[denis-The-menace]

look at what others do to avoid that pitfall.
http://www.appdeploy.com/packages/detail.asp?id=1328

Re:STUPID ACROREAD ICON

And every other full install on the planet can ask if I want a desktop icon except Adobe?

Re:STUPID ACROREAD ICON

[Trashman]

Thanks for mentioning it and not providing a link

Re:STUPID ACROREAD ICON

[DrVomact]

look at what others do to avoid that pitfall. [link]

I don't get it. The link directs me to some commercial site that sells (I assume) something or other. A short explanation of what I'm supposed to look for or what this does seems indicated.

Re:STUPID ACROREAD ICON

[davester666]

It's because the maroon's at Adobe confuse "update" with "full install, including a bunch of other non-Adobe Reader stuff like Adobe AIR".

Re:STUPID ACROREAD ICON

Basically it says use Orca to remove the desktop icon entry.

Re:STUPID ACROREAD ICON

[hairyfeet]

Have you tried Foxit PDF Reader? It's free, they seem to get patches out more quickly, often on the same day an exploit is announced, they use a separate light and more locked down PDF reader for Firefox to help make web based PDFs less of a security risk, and they aren't a bloated mess like Adobe.

If you decide you want to try it I would get it through Ninite as Ninite is a single click online unattended installation, has dozens of apps that you can install in any combo you choose, has all the ones friends/relatives call you complaining they don't have, such as Flash, Java, .NET, Silverlight,etc, and is pretty much a one stop shop for apps that even your grandma could use. Oh and NO toolbars allowed, which some companies just seem to love to drop on you nowadays (I'm looking at YOU Sun/Oracle!)

So give it a try. I have a feeling once you switch over to Foxit and Ninite you won't be going back. Ninite is especially good if you have any long distance relatives you need to support. Just tell them which programs to tick the checkbox for, tell them to run it, and voila! Free apps all installed and set up pretty as you please. Makes a great way to set up a new PC too.

Re:STUPID ACROREAD ICON

[Teufelsmuhle]

Thank you, thank you, thank you. One of the most insightful first posts I've seen in awhile. I've been complaining about this for years!

Re:STUPID ACROREAD ICON

[teridon]

That "Wizard" is practically useless -- the updates for it lag so far behind the Reader releases that half of the functions (like removing the icon from the desktop) stop working. For example, the function to prevent the creation of the desktop icon no longer works.

I've found it more reliable to script the installation, removing the desktop icon using the script (%ALLUSERSPROFILE%\Desktop\Adobe Reader 9.lnk or %PUBLIC%\Desktop\Adobe Reader 9.lnk)

from the are-you-on-the-patch? dept.

They updated their patch name to the following:

Problem Mitigation System.

Apparently, you have to be careful. The patches are often bloated with excess code, and can ruin your day if you look at them the wrong way.

Great!

[leonardofelin]

Now I won't know whose patch messed up my computer after the update...

Re:Great!

[NevarMore]

Thats the idea, its called "the blame game" and it cuts down on support costs.

Faster is always better, but...

[The+Angry+Mick]

I don't get the feeling malware authors are going to be negatively affected in any way.

Will we still have to REBOOT?

[AriesGeek]

Seriously, Adobe, why do I have to reboot after updating your damn user-land software? I can even install some OS patches without rebooting!

Re:Will we still have to REBOOT?

[PalmKiller]

You don't, just tell it not to reboot, and the new version will work fine until you decide to do the reboot

Re:Will we still have to REBOOT?

You almost never do have to. But the people writing the patch just use a standard MSI constructor that has the "requires reboot" flag bit turned on by default. Because the people in charge of the patch are not experts in the MSI system the don't fiddle with it.

I am quite sure that there are lots of options that are just left on because it is less effort to not touch them than to figure out if it is really needed.

On the other hand there it might be an effort to avoid issues with those less computer savy. Many computer illiterate users actually have some part of reader in resident memory, and that it is easier to tell them to restart the computer than to tell them to close the PDF file they have open in IE 5.

Re:Will we still have to REBOOT?

[h4rr4r]

Probably because windows cannot replace files in use. I know in 2010 that seems crazy, but there it is.

It is easier to make you reboot than to make sure nothing has any of their files open.

Re:Will we still have to REBOOT?

... and the new version will work fine until you decide to do the reboot.

So, the moment you reboot your computer, BAM! it won't work. Great job, Adobe?

Re:Will we still have to REBOOT?

[BitZtream]

Because any number of apps may have hooked into the adobe DLLs to use various bits from them and its rather difficult (not impossible) to figure out which apps those might be and give you some info about them.

Also in reality, most users won't know what to do so rebooting is a fine alternative for the computer ignorant.

It amazes me that slashdot has so many users who will tell you much they know about system administration and programming, but don't understand the concept of dependencies

Re:Will we still have to REBOOT?

[drinkypoo]

Because any number of apps may have hooked into the adobe DLLs to use various bits from them and its rather difficult (not impossible) to figure out which apps those might be and give you some info about them.

That's a stupid argument, and slashdot is stupider for it. The OS knows exactly who is using what DLL. It would be a triviality to terminate all such processes, and it ought to be safe, too, since the OS doesn't use any Adobe DLLs. Give the user a chance to quit any which have a GUI, which is also trivial to find out (are they in the window list?)

Re:Will we still have to REBOOT?

[StuffMaster]

Well it amazes me that in 2010 dll dependencies is an excuse to reboot the computer for a PDF reader.

stop using adobe

[__aavqan3009]

stop using adobe.

Re:stop using adobe

Who users their reader anyway? POS

Re:stop using adobe

Guy craps a comment out of his ass and its modded insightful? Not that I ever had any faith in the mods on here, but this system keeps hitting new lows.

Avoid acrobat reader at all costs

[Idiomatick]

You know you suck when your company is playing catchup with Microsoft on security and patching.

Re:Avoid acrobat reader at all costs

[PsychoSlashDot]

You know you suck when your company is playing catchup with Microsoft on security and patching.

Seriously. I don't like to swear much on Slashdot, but I'd like to tell Adobe "fuck you!"

This isn't about an operating system. It isn't even about a productivity suite like Office. It's a reader. Stop patching every damned month and secure the bastard. Right now. One patch and you're done. I do not condone any corporate plan to regularly trickle out tiny fixes here and there when they're discovered because that's Good Enough. It's not good enough.

Adobe needs to change their product plan.

Adobe Reader - views PDFs and that's it
Adobe Reader Pro - views PDFs, has all the scripting and form-filling features that are vulnerable and buggy
Adobe Acrobat - makes PDFs

Strip Reader down to as few features as possible. We know that 99% of what Reader is used for is flat basic text reading. So either make a product that does that and only that, or at least make a MODE where turning on all the other features for X minutes requires a UAC-style prompt.

following MS example, do it al the way

Hey !! Adobe !, if you insist on following Microsoft's example of distributing crappy software with even more crappier default settings, then please arrange we can update the crap via WSUS as well. your own distribution tools S U C K !

Full installer

[Nimey]

How about releasing a full installer of the latest revision, instead of this idiocy where we have to download 9.3.0 from their website and then manually tell it to install 9.3.2? It can't be /that/ hard.

Re:Full installer

[BitZtream]

How about hireing some developers with a clue.

How about not putting features in a DOCUMENT format that aren't needed.?

If they want to make PDF do everything that HTML will they'll quickly find people will just send self contained HTML files instead. Why this isn't done now is simply because no one has bothered to make an HTML editor that doesn't fucking suck.

Re:Full installer

[teridon]

I agree, but you can work around this using the command line.  (I know, it sucks to have to do this!)

Download the full MSI installer for 9.3.0, plus the patches for 9.3.1 and 9.3.2 (etc) from ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/

Then, install with:

msiexec /passive /i AdbeRdr930_en_US.msi PATCH=AdbeRdrUpd931_all_incr.msp;AdbeRdrUpd932_all_incr.msp

Re:Full installer

[Nimey]

Neat. Nitpick, though: 9.3.2 will apply directly to 9.3.0, so you don't need the intermediate step.

Re:Full installer

[teridon]

I did not know that, thank you.  I didn't bother testing only applying 9.3.2 --  I just tacked the extra patch onto the end and it worked, so I left it at that.

Firefox is now going to look really bad

[TejWC]

I have spoken to a number of heads of IT about security. They seem to really hate Firefox with a strong passion.

Why? Because they don't inform admins ahead of time if there will be a new patch coming out soon. They release security updates with no warning or set schedule (so admins have to scramble each time there is a new security patch). With IE (via Windows' patch Tuesdays) and now Flash/Reader having a set schedule, Firefox will be the only commonly used software that doesn't have a scheduled security release.

Re:Firefox is now going to look really bad

[Drew+M.]

Because it's too difficult to quickly Google their release schedule which gives you upcoming notice of a release? https://wiki.mozilla.org/Releases

Re:Firefox is now going to look really bad

[Nerdfest]

Doesn't FireFox release patches as soon as they are available? Why would you force someone to wait for an update? Don't force them to install it, but don't make them wait either.

Re:Firefox is now going to look really bad

[Stray7Xi]

Doesn't FireFox release patches as soon as they are available? Why would you force someone to wait for an update?

Predictable structure when trying to maintain SOP/audits/compliance. A fully patched IE with a critical bug is just fine from a policy perspective and is easy to maintain with scheduled patches (Tuesday is good). Firefox releasing a patch on a friday makes for unhappy admin who would prefer to push it off until after their weekend.

Re:Firefox is now going to look really bad

[Culture20]

I have spoken to a number of heads of IT about security. They seem to really hate Firefox with a strong passion.

Heads of IT as in managers, CIOs? Or heads of IT as in Senior Sysadmins? Most sysadmins don't mind scrambling when it means security is being increased. Most managers hate scrambling because it means overtime, and because they look bad because they aren't managing their people's time appropriately. In short, your "head of IT" friends are pointy haired bosses who don't like change.

FYI, as long as you know what you're doing, updating firefox on windows remotely for X machines doesn't require a mad scramble. Updates can be initiated via remotely triggered vbs or bat, and the update files can live on a central server. The only trick is killing all firefox processes first to make sure no one is using it while the update occurs (and that's not even difficult).

Enough with third party update

[JaCKeL+1.0]

I am an IT and these update are PAIN IN THE ASS. Personally, I am tired of updating every single piece of software I use individually BUT it is very bad for my customers. 1. Most of them include crap like Norton scan, toolbars and other badware. 2. The majority of my customers require older version for their manufacturer system to work (old java, old acrobat reader, IE7 or less, ...) so when they do update (because they are harassed to do it) their software stop working. After that they are afraid to update anything and they become a security risk. 3. The frequency of theses updates are so high it just get people mad. 4. Why do we need to reboot for a software update, we're in 2010. Can't Microsoft put their foot down and ask anybody who want to do update to work with them ?

Re:Enough with third party update

[Pharmboy]

Can't Microsoft put their foot down and ask anybody who want to do update to work with them ?

Oh yea, MS should put their foot down and tell them "if you want your 3rd party program to be installed on customer's computers, you have to go through us. No more 3rd party applications installed unless it is through us or at least done our way". No, that wouldn't perk up the DOJ. And I'm sure that everyone on /. and every other blog would say "yes, that sounds like a good idea".

Once they did that, the thread on /. would have 1000 comments in less than an hour bashing "Teh Micr0$ucks!"

Re:Enough with third party update

[h4rr4r]

They could fix their update mechanism though. Windows sure could use a repository based update system, the user/admins could add any other repositories they wanted even internal ones. Another big fix would be allowing files that are open to be replaced, so that updates do not always require a reboot.

Re:Enough with third party update

[Pharmboy]

So, Windows should be more like Linux then?

Re:Enough with third party update

[h4rr4r]

Not just linux uses a system like this, the BSDs all except for OSX do too.

Re:Enough with third party update

I feel for you, stuck in the same boat. single man IT dept here and have the same problem. I do my updates to the workstations monthly usually a few days after patch tuesday, so i can watch forums and news sites to see if any of the patches are faulty. I dont really have a development environment here to test patches on before rolling them out company wide. however once i get windows and office, and everything else all patched up, then a week later java, adobe, autocad, quickbooks or some other software on someone's desktop will come out with some other new patch, with some stupid popup balloon in the corner annoying the users until the patch is installed.

Until adobe's change to quarterly patches it seemed at times i was installing a new patch every week on ever damn workstation in the company.

It really would be nice for either the popular software makers to work with MS in some way to get their patches included with windows update/WSUS or some 3rd party developer to come out with some software that could roll all the patches into a nice single click install package to be deployed on the desktops.

Re:Enough with third party update

[gad_zuki!]

Well, Adobe could release plugins for the new version of WSUS and admins can simply approve them like they do MS patches in WSUS. Or at least change their updaters so they make some sense. I just installed Acrobat 8.0. The updated proceeded to install:

8.0.1
8.0.2
8.0.3
8.1.0
8.1.1
etc
Almost each asking for a reboot.

Instead it should have downloaded the update straight to 8.2 or whatever the current version is and then done the incremental to 8.2.3.

Lastly, they need to disable javascript by default in reader. Users can just press the "run scripting" button if they trust the publisher. Adobe is pretty much where MS was in 1998 or so. It really needs to grow up and smarten up regarding security.

Re:Enough with third party update

[h4rr4r]

Go download virtualbox, put your images into that and test the apps. If you do not have system images, go get fog and make some. This will all make your life much easier.

Re:Enough with third party update

[JaCKeL+1.0]

Microsoft have the right to ask that every automatic update as to be pushed by them, since they are always pointed when PC have bug or security risk.
What about you ask for update when the customer launch your software or else you use WU. Many hardware manufacturer started using WU for updating device drivers and it is working very well.
You code for Windows, you work with Microsoft this way admin can choose what to apply and what to refuse and you stop bugging the end user.

BTW third party updates are only more like a pretext to gain visibility and to push offers to potential customers.

Re:Enough with third party update

[Pharmboy]

So Google and Firefox should have to use Windows Update? Perl, Cygwin should too? This is patently absurd. Perhaps then Microsoft could just say "No, we don't like you, so no updates from our servers, which means no updates".

These companies don't "code for Windows", they write software that runs on multiple platforms, such as Linux, OS X and Windows. They don't need to "work with Microsoft" because it isn't Microsoft's fucking business, only the operating system is. They are COMPETITORS to Microsoft. Firefox competes with IE. Google competes with IE, Bing, MSN, and even Windows itself on multiple platforms. iTunes is owned by Apple, who competes with the iPod (vs. Zune) and OS X.

If I were Google and MS said I had to go through WU for patches, I would have them in court before you could snap your fingers. That or just laugh in their faces. All the software that runs on your system isn't a single thing, to be controlled by a single company. This more than silly, it is unworkable, intolerable and likely illegal. You need to think it about it just a bit more.

Better late than never

[bi$hop]

I think Adobe deserves a little credit here. Increasing the frequency of commercial software releases is not trivial. They are aware of their vulnerabilities and quality issues. They genuinely want to make their software better, and they want those improvements available to customers sooner.

Re:Better late than never

[cusco]

If the genuinely want to make their software "better" then why do they always erase the settings that I've saved and overwrite them with their defaults again? Why do they insist that I first download their ^%&$*#) proprietary download software (which then wants to take over all my future downloads) rather than use http or FTP like every other frelling software vendor? If they want to make "better" software why do they release it when they KNOW about security holes? What is "better" about Acrobat Reader v93 with its 37mb download size? AcroRead 3 did everything that 99 percent of users needed with a download size of 2mb. If they had just fixed the gaping security holes (which they knew about before release) in that version I would have just put up with the 10 seconds of stupid author names and patent numbers every time I launched it rather than defecting to FoxIt.

I'll shut up now. My loathing of Adobe is almost boundless.

Re:Better late than never

[John+Hasler]

> My loathing of Adobe is almost boundless.

Yet you continue to use their software.

Re:Better late than never

[cusco]

No, I don't. I just frequently encounter it on customers' servers, and when I can I uninstall it and put FoxIt or something else usable that doesn't have truck-sized security holes in it.

Re:arrogant = deserve death

[cusco]

Please don't, my house is downwind . . .

Mod summary -1 Redundant

[penguinchris]

The last sentence in the summary is a repeat of the beginning of the paragraph. Further, the second-to-last sentence is unnecessary - the information there (that the previous quarterly patches were also on microsoft patch tuesday) can be easily added to the sentence before it.

Not that I expect well-written summaries here (and let's be honest, most people don't even read the summary in its entirety, much less TFA) but this is pretty bad.

Aw man

I do not look forward to "that time of the month" when my PC bleeds Adobe out of its port

Going to take a little more than that

[haplo21112]

Adobe patches are crap in general.
1. They usually take the form of nearly complete product updates, patches 80% of the size of the installed product are common.
2. They currently only rarely issue roll-ups so you end up in the you have to have 9.3.1 base, then install 9.3.2 patch , then install 9.3.3 patch can't jump from 9.3.1 directly to 9.3.3

This sort of stuff drives the guy at my company in change of Adobe software deployments insane. For a new machine install it takes forever as each individual patch is installed by the software deployment system.

Re:Going to take a little more than that

[DrVomact]

Adobe patches are crap in general.

Please mod parent up; this is a lapidary summary, and nothing more need be said.

Of course I'm going to say more. I have a lot of emotional trauma that requires venting. Trauma inflicted on me by Adobe. In fact, it's not just the patches, it's the apps themselves I hate. And I hate Adobe's executives, their dogs, wives, children, houses, golf clubs, and the mothers that gave them all birth.

I have actively distrusted Adobe for several years, ever since they snuck in a stealth updating mechanism (it's called "Adobe online") with an Acrobat patch that makes all other installed Adobe apps call home. All of a sudden, my (perfectly legit) FrameMaker app started to pound on the firewall, asking to talk to its mommy. This happened both at home and at work (where IT was pissed, but what could they do?). What definition of ethics do these people have when they think it's OK to change the behavior of totally unrelated applications while ostensibly patching another?

I think I've got Adobe updates turned off, but occasionally Adobe manages to hack its way into my Windows 7 box and "fixes" something for me. (Wish I could still use Acrobat 5.something, but 64 bit Windows 7 put an end to that.) These guys have delusions of grandeur so vast that they are beginning to confuse themselves with Microsoft.

just put them windows / MS update

[Joe+The+Dragon]

just put them windows / MS update

Re:just put them windows / MS update

Just English, asshole.

Aw man

[uremog]

I do not look forward to "that time of the month" when my PC bleeds Adobe out of its port.

Great another monthly problem

[UnknowingFool]

In addition to MS patches and girlfriend's problems, this is another monthly problem I don't look forward to dealing with. Who am I kidding? This is slashdot. I don't have a girlfriend. But I'll tell you what, my mom's aim is better than normal when she's throwing things at me from top of the basement stairs once a month.

Predictable update schedule

[xswl0931]

This makes sense for home users, however, for enterprises, they like complete control over rollout of patches. The risk of a patch causing problems that impact the business could be very costly and is avoided at all times. IT Departments like to have the patch and test it internally to ensure there is no impact to the business before rolling it out. Also keep in mind that in many enterprises, the end user doesn't have admin access and can't apply the patch anyways.

Re:Predictable update schedule

[h4rr4r]

Which means the admins just need to have a test machine for this. It seems more like lazy admins than anything else.

I run and test lots of stuff when the update alert comes out from their mailing list.

Re:Predictable update schedule

[hairyfeet]

So why not simply turn off Firefox updates and use the group Policy friendly Frontmotion Firefox build? It supports Group Policy Objects and AD, you can even use their MSI packager service to "roll your own" with whatever settings you choose.

I may be a Windows guy, but one of the things I like about FOSS is if there is a problem, somebody will often take the code and find a solution.

Now just get few more major vendors on board...

[John+Hasler]

...and the second Tuesday of the month can become a national holiday for everyone except IT (and Free Software users). The next step will an act of Congress declaring the Monday before the second Tuesday of the month to be Patch Tuesday so as to create a three day weekend.

Adobe has been doing this for the past few months

[Culture20]

Hasn't anyone else noticed that the last few big adobe patches were on MS patch Tuesdays?

Re:Adobe has been doing this for the past few mont

The author of TFA did. We have to read all the way through the 2nd paragraph to find:

...Adobe has been releasing its patches on the same day as Microsoft's Patch Tuesday each quarter.

Autoupdate when running as non-admin?

Will it update if the only user running the system is a regular user under Windows? That would be great for people supporting their parents/grandparents who won't know what to do to update.

Terrible idea. Which patch hosed the machine?

[syousef]

When a patch goes wrong or breaks something you'll have to do more work to figure out whose patch just broke your machine.

Awesome!

[drfreak]

Adobe exceeds expectations again with upping the frequency of the updater we all know and love.

How about...

[NateTech]

... motivating software engineers (by loss of MONEY) who release things that have big ass security bugs in them in the first place. And put up a scoreboard of the engineer with the most stupid bugs for all to see.

"We have gone X days without an exploit." - just like the safety signs in factories. Since after all, it is software safety we're talking about here.