Comments on: Adobe Reader bug info: Better late than never, huh? http://www.teleread.org/blog/2008/05/08/adobe-reader-bug-info-better-late-than-never-huh/ News & views on e-books, libraries, publishing and related topics Sun, 06 Jul 2008 00:39:19 +0000 http://wordpress.org/?v=2.5.1 By: David Rothman http://www.teleread.org/blog/2008/05/08/adobe-reader-bug-info-better-late-than-never-huh/#comment-791669 David Rothman Thu, 08 May 2008 18:02:59 +0000 http://www.teleread.org/blog/2008/05/08/adobe-reader-bug-info-better-late-than-never-huh/#comment-791669 Big thanks for at least unofficially giving Adobe's side, John. That's a helpful response. I'm gong to take the liberty of reproing in full your note to CW. David Timing of releases Submitted by John Dowdell on May 7, 2008 - 14:59. Hi Gregg, I'd defer to members of Adobe's security team for full details, but usually we don't provide additional info about the nature of an exploit until all versions are updated. The Acrobat 8.x series was updated awhile ago, but today the Acrobat 7.x series was also updated, for those intranets which have slow approval cycles for new major versions. (This practice also gives a significant number of consumers a chance to get protected, before providing background info to security researchers which might incidentally help criminals.) jd/adobe Big thanks for at least unofficially giving Adobe’s side, John. That’s a helpful response. I’m gong to take the liberty of reproing in full your note to CW. David

Timing of releases
Submitted by John Dowdell on May 7, 2008 - 14:59.

Hi Gregg, I’d defer to members of Adobe’s security team for full details, but usually we don’t provide additional info about the nature of an exploit until all versions are updated.

The Acrobat 8.x series was updated awhile ago, but today the Acrobat 7.x series was also updated, for those intranets which have slow approval cycles for new major versions.

(This practice also gives a significant number of consumers a chance to get protected, before providing background info to security researchers which might incidentally help criminals.)

jd/adobe

]]> By: John Dowdell http://www.teleread.org/blog/2008/05/08/adobe-reader-bug-info-better-late-than-never-huh/#comment-791581 John Dowdell Thu, 08 May 2008 16:08:55 +0000 http://www.teleread.org/blog/2008/05/08/adobe-reader-bug-info-better-late-than-never-huh/#comment-791581 Hi David, I left a comment at Gregg's piece pretty much as soon as it was published -- the comment was printed, thank goodness, but at the bottom of the page, where it was easy to miss. Adobe Reader 8.x was released pretty quickly. But details of what it fixed were not published until after we had older versions updated too. (Sometimes an intranet will approve minor versions on a shorter cycle than they will major versions, and so we need to go back and update older codebases as well.) So the answer to Gregg's implicit question of "Why did it take so long to learn juicy details of badguy practices?" would be something like "To give current users a meaningful chance to update first, and also to take care of people who cannot use the current version." Good? jd/adobe Hi David, I left a comment at Gregg’s piece pretty much as soon as it was published — the comment was printed, thank goodness, but at the bottom of the page, where it was easy to miss.

Adobe Reader 8.x was released pretty quickly. But details of what it fixed were not published until after we had older versions updated too. (Sometimes an intranet will approve minor versions on a shorter cycle than they will major versions, and so we need to go back and update older codebases as well.)

So the answer to Gregg’s implicit question of “Why did it take so long to learn juicy details of badguy practices?” would be something like “To give current users a meaningful chance to update first, and also to take care of people who cannot use the current version.”

Good?

jd/adobe

]]>