Adobe will flip the switch next week on a service that silently updates customers’ copies of its popular Reader and Acrobat PDF programs, the company’s chief security executive said Thursday.
Background updating in Adobe Reader Updater and the Adobe Acrobat Reader will be enabled on Tuesday, April 13, when Adobe delivers its next regularly-scheduled set of patches for the two programs, said Brad Arkin, the company’s director for product security and privacy. “Starting Tuesday, we will turn on the server, and the new updater will take effect,” said Arkin.
The move is meant to keep more users’ software fully-patched, and thus more secure. Adobe has struggled to keep up with a swarm of vulnerabilities in PDF documents, which according to one analysis, were responsible for 80 percent of all exploits at the end of 2009.
Last year, the company patched four “zero-day” PDF vulnerabilities—bugs that were actively being exploited when the fix was released—and it’s patched one PDF zero-day so far in 2010.
Most users already have the new updater on their machines: Adobe started pushing the new tool to Reader and Acrobat customers last October. However, it initially enabled the updater only for a group of invitation-only beta testers; next week will be the first time that it is turned on for the general public.
The biggest difference between Adobe’s old and new update technology is that the latter offers a mode Arkin dubbed “silent,” which updates the software in the background, without notifying the user or asking for additional permission. The older updater alerted users when patches or a new program version was available.
But out of the gate, users will see little change, Arkin noted. The current updater offers two modes—a full manual mode where the user must explicitly ask for patches and a semi-automatic mode that notifies the user before beginning the download.
The new update service will not modify users’ settings, said Arkin. “On Tuesday, we’ll migrate the existing settings to the new updater, so if it’s set on semi-automatic, then [the new updater] will do that, too.”
Users will have to change the updater’s options themselves to switch on the silent mode. “Most people will be on semi-automatic with the new updater,” said Arkin. “To change that, they’ll have to go into the configuration options and switch from semi to silent mode. We’re not going to change someone from semi to silent without some kind of user action.”
As early as July 13, the next quarterly security update for Reader and Acrobat, Adobe may prompt users to switch to silent mode with a pop-up dialog that offers to change the updater’s settings. Saying that the dialog would resemble those users face when they install software, Arkin added that the offer will follow an opt-out model. “If they take all the defaults [in the dialog], it will switch to fully-automatic mode,” he said.
Adobe will also decrease the interval between regular update offers, said Arkin. Currently, Adobe’s servers notify the Reader and Acrobat software of an available update every seven days; that will decrease to every three days with the new tool.
“Updates were applied almost 100% within three days by the beta testers,” he said, referring to the pool who have used the new updater for the last several months. Adobe’s goal is to not only remove the need for users to approve updates, but also to speed up updating. “It takes too long for too many users today to update,” he argued.
In most cases, the silent updates will not trigger the UAC (user account control) warnings in Windows Vista and Windows 7 , Arkin said in an e-mail reply to follow-up questions. “However, if the update requires inclusion of a full installer or an update to the updater itself, the UAC dialog box will appear,” he explained. “In those instances, the fully automatic option cannot be supported, and the user will have to accept the update installation via the UAC dialog, thus performing a semi-automatic update.”
UAC is a security feature that Microsoft debuted with Windows Vista, and tweaked for Windows 7. UAC prompts users for their consent before allowing a task such as the installation of a program or a device driver to take place. In an attempt to quash user complaints about the constant intrusions, Microsoft modified UAC so it appears less frequently in Windows 7.
Mac users will not be able to take advantage of the new silent mode for the same reason. “There’s separate code for the Mac,” Arkin said, pointing to Mac OS X’s demand for the user’s password before installing new software. Mac users, then, will only have the fully-manual and semi-automatic modes as options.
Most enterprises, which already support Adobe Reader updates through patch management software from the likes of Microsoft and IBM, will also see no change, as they have already turned off the current updater’s ability to notify users of impending patches. “But there’s been more interest in the new update technology from enterprises than I expected,” Arkin said.
Adobe is dabbling in other ways to keep users of its software up to date. Last week, Google and Adobe announced a partnership that will automatically update Flash Player—another piece of Adobe software that is frequently targeted by hackers—when Google updates its Chrome browser.
Other software vendors also offer a fully-automatic updating mode. Microsoft, for example, has long let users set its Windows Update service to an in-the-background mode.
The new updater only works with Reader and Acrobat, but Adobe is considering expanding the silent patch feature to other software, including Flash. “Flash, because of the way it integrates with the browser, may not be an easy transition [to silent mode],” acknowledged Arkin. “But we’re always looking for ways to improve security and updating.”
Also Thursday, Adobe issued its usual advance warning of the number of patches it plans to release next Tuesday.