Timing also played a part in Adobe's decision to delay the patch. The upcoming holidays, for example, were a concern to businesses, which weren't sure if they could test and deploy a rush patch before their workers returned to the job on Jan. 4. Also in play, said Arkin: The looming Jan. 12 deadline.
Last May, Adobe revamped the security process for its PDF viewing and editing applications, a move made after critics blasted the company for its slow patching process several months earlier. Adobe promised to speed up its patch work, go over old code to find flaws and release security updates for Reader and Acrobat every three months.
"We're not establishing a guaranteed policy here," Arkin said, referring to the decision to delay the patch of the exploited vulnerability, "but where this happened to fall on the calendar played a part. If we're early in the quarter, and if it's urgent, we can release an out-of-cycle update, but as you get later, and closer to the quarterly patch, you have to weigh how [an out-of-cycle update] impacts that."
Arkin denied that Adobe lacked the resources necessary to handle out-of-cycle updates while still making its quarterly update schedule, but acknowledged that the company can't afford to have a team of engineers "waiting just in case" an emergency occurs.
He also dismissed comparisons to Microsoft , whose security teams have frequently been faced with the same problem -- rush out a patch or wait until the next cycle -- and succeeded in meeting both simultaneously. "There's a lot of differences between us and them," Arkin said. "You don't really know when they queue things up, for example. They might have started working on a patch long before because the vulnerability had been responsibly disclosed."
Overall, Arkin said, the quarterly patch schedule is a positive, primarily because it appeals to enterprises using Adobe's software. "It's been really well received by all the customers I've talked with," he said. "They really appreciate the ability to plan for it, to know when it's coming."
However, he deflected questions about whether the quarterly schedule may leave consumers at risk longer than if Adobe released security updates as soon as they're ready. Instead, he touted Adobe's revised updating tool, which was provided to users via the October Reader/Acrobat security release, but switched on only for a small group of beta testers.
"For home and consumer users, we have the new updater that we shipped in October," said Arkin. "It allows a couple of different options, including downloading and installing in the background, without any user interaction. Reminding people that there's an update when they're using the product is usually the worst time," Arkin continued. Instead, the new updater will process patches, download and install them -- with no effort on users' parts. "We're hoping this will keep people updated with patches," he said.
Adobe will use the new updater for the first time next month to deliver the Jan. 12 patches to the beta testers, get feedback from the group, and then perhaps switch it on for all users.
Arkin admitted that, even with the new focus on security, Adobe can do better. One way would be to get information about active attacks sooner. While Adobe only learned of the current vulnerability and exploit last Monday when several security vendors reported their findings, evidence in filtering logs show that the attack code was being e-mailed to targeted victims as early as Nov. 20.