Most of the time that Adobe is spending to close a 0-day vulnerabilities in popular applications of its Reader and Flash Player, is dedicated to make sure that the fixes will not cause catastrophic damage to the computers of end users, the head of the security company.
“The last thing we wanted to see a BSOD on the appearance of hundreds of millions of computers after our release,” – said on Friday the participants Qualys Security Conference in San Francisco, Brad Arkin, director of Adobe’s privacy and security products. ”It would be really terrible. This is what we can never allow to happen.”
He said that developers need Adobe from 20 minutes to 8 hours to make the patch, after they determine the code used in the attack in order to remotely install malware on end user computers. Remaining time – usually about 6000 man-hours, as is the case with the fix for 0-day vulnerabilities in Reader – is spent on testing the new version for each operating system on which it is used to verify the absence of incompatibility.
In early 2009, after discovery of the vulnerability before the release of Adobe fixing took place 10 weeks. Since then the company has significantly improved this figure. New record of the development team of about 72 hours, said Arkin.
Arkin said that Adobe is also working to facilitate the installation of patches. After a few months, the company will introduce a new mechanism for updates to Flash, which will upgrade the application in all browsers. At the moment computers are Windows, using more than one browser must be updated twice, once – for Internet Explorer, and the second – for other browsers. Arkin noted that this relic has remained since those times, when most users had slow internet and they could not afford to download a large file that you want to upgrade all browsers.
“The more users in the consumer environment will be timely and easily updated, the less will be an attractive target for bad guys who are putting money into an exploit,” – he said. ”Keeping up with the time it is very important for all users.”