Home

Adobe Automatic Update Stinks

Tue, 02/19/2008 - 23:19 — TheBrain

     This being the first real post of this blog I will try to keep things as civil as I can. That said the last couple of weeks have been a real hell and it is all thanks to Adobe's Automatic Update.

     We are a consulting and support company for small businesses in our area. In essence we assume the responsibility of being the IT department for companies that do not want to have an organic IT function or who do not want to afford one in a full time basis. That means that we take care of the whole enchilada to include updates and firewall security as well as ensure that everything in the IT world of the companies that we support is TipTop. Enter Adobe's Automatic Update; It all started with a client that runs all of their sales operations from remote offices for each salesperson. The sales person keeps at their home a company provided firewall (Check Point Safe@Office 500W), a VoIP phone and a company PC. The client's complaint is that their phones have a 5 to 7 second time delay as if they are calling from a different continent in the 1970's and that their remote sessions to the terminal server at the main site are very slow. The initial response is to halt all unnecessary traffic by restricting all but the most essential traffic on the Internet connection. Once we blocked all HTTP traffic and killed all existing connections things went back to normal. So looking at the firewall logs shows an enormous amount of traffic going to Akamai and to NTT. So in go rules in the firewall to block all traffic headed for the specific IPs and we re-enable all the access for the users. Two days later we are back at the problems with the connections. Back to the firewall logs and there is again a ton of traffic to the aforementioned locations. Again we add more restrictions to disallow this traffic and we move on.

     It gets better, a different client calls complaining of the same troubles. So now armed with some information we know to halt all communications but this calls for a packet capture of what in the world could be flooding an OC3 pipe to 100% utilization. The packet capture reveals Adobe Automatic Update calling home for some TLC. When it is all said and done we are blocking a couple of Class B subnets associated with Akamai and NTT. This is great as it stops the problem from continuing to eat up all the bandwidth on the Internet connection but this also sucks because of the "Guilt by association" rules that we had to put in place to curb this problem also means that any site that load balances using Akamai or NTT is not longer available on these networks and there are several sites that the user base demands access to.

     The ultimate fix is to update all the PCs running any Adobe product to the latest and greatest version of that product and disable the automatic update but this is a royal pain for a lot of sites. Wherever we can we have moved away from using Acrobat by replacing it with FoxIt Reader and PDF Creator. Some things are unable to use these so test them before deploying them but for the most part they work great and have a significantly smaller foot print than Adobe.

     Adobe - you need to change the behavior of your updates, this kind of problem is just unacceptable.