Today, Adobe users wanting to update Acrobat and Reader have to do it manually, or semi-automatically, but there is no fully automatic, 'silent' updating feature officially available to users. This has been a problem when it comes to getting users to update the products to cope with new security patches, explained Brad Arkin, director of product security and privacy at Adobe.
"We anticipate that this will have a dramatic improvement on the window of vulnerability for our user base," Arkin said. "Where we see that improvement occurring is the time from when we release an update to when that update is deployed on a machine."
During its last quarterly patch in October, Adobe quietly installed a new updater, called Acrobat Refresh Manager, that could be set to update the product silently. A beta test with selected users will start with the company's latest round of critical security patches, scheduled for next Tuesday. If the Beta test goes well, the update mechanism will be offered as a default option with the following quarterly security update in April.
Adobe is behind the curve in terms of silent product updates, which are a standard feature on many products. Arkin said that the company had to be cautious about introducing the update because of the sheer volume of computers using Adobe's update system. "Reader is installed on hundreds of millions of machines around the world. Even the most minor potential flaw that only happens on one machine in a million still adds up to a lot of machines," he added.
Today, the Adobe update manager asks users if they want to introduce new patches. Too many users are avoiding the installation, Arkin said, presumably because they're busy doing other things, and forget.
"For a lot of reasons, people don't say 'yes' right away. Some of them never do, which dramatically increases their vulnerability," he predicted.
However, the silent updater won't help users when a zero-day exploit emerges and Adobe fails to patch it immediately. Next Tuesday's collection of critical updates includes a patch for an Acrobat and Reader vulnerability that is already being exploited in the wild. Arkin said that the company's record on patches for zero-day exploits has improved, dropping from around five weeks at the start of last year down to around two weeks on average today.
There are no immediate plans to introduce a version for Flash Player, however, which has suffered its own critical security flaws. "We will learn from this experience, and then see if it's applicable to any other products," Arkin concluded.