Adobe Chided For Insecure Acrobat Reader

The Register covers security firm Secunia calling out Adobe for its insecure distribution practices with regard to Adobe Reader. (Here is Secunia's note.) The accusation is that the way Adobe provides Reader extends the software's window of vulnerability once an exploit has begun to circulate. Version 9.1 of Reader, which is what you get when you visit the official download site, contains 10 vulnerabilities that were patched by later releases. "Adobe Systems has been taken to task for offering outdated software on its downloads page that contains dozens of security vulnerabilities, several of which are already being exploited in the wild... Visitors who obtain Adobe Reader from the company's official downloads page will find that it installs version 9.1 of the program on their computers, even though the most recent version was 9.1.2 at time of writing. That could put users at considerable peril given the number of vulnerabilities fixed in the two iterations that have come since 9.1, complains Secunia..."

Rewarding incompetence

[mr_stark]

Dont use Acrobat... There are several alternatives available all less bloated:

GPL'd PDF reader: http://blog.kowalczyk.info/software/sumatrapdf/index.html

Commercial: http://www.foxitsoftware.com/pdf/reader/

Re:Rewarding incompetence

[bheer]

Unfortunately, it isn't that simple. Many of the alternatives lack key features that make it difficult for many users.

IIRC there are some kinds of PDF Forms which still cause problems in Foxit Reader. Also, because Foxit doesn't have CoolType and Adobe does, PS/OpenType fonts which are not specifically hinted for the screen (and are used by many design shops) look *much* better on Adobe reader than Foxit, making it invaluable for pre-publishing previews.

Also, specifically for Foxit -- it has its own share of vulnerabilities.

Re:Huh?

[Spit]

Ubuntu installer will download all the patches before rebooting to the installed system.

Re:Nitpick

[IBBoard]

Complaining that initial download contains 9.1 vs 9.1.2 is just splitting hairs.

That depends on the difference between 9.1 and 9.1.2. If the difference is a week or two (i.e. the bug fixes haven't been out long) then it's not unreasonable to have a delay updating the download (although it would obviously be better to update it as well rather than distribute known vulnerabilities). If the difference between them is several months or more then it's less excusable and they've had plenty of time to update it.

Re:Huh?

[Gnavpot]

But thinking something like Apt would be a silver bullet for home users is strictly a fantasy. First it would have to be run by MSFT to incorporate the Windows patches as well as third party updates, which would lead to vendors screaming and probably an antitrust investigation
[...]
So while having a central repository works for Linux, it simply would never work for Windows.

It is obvious that your statement is based on a lack of knowledge of apt.

Apt does not depend on a central repository. Yes, there is a central repository for the distribution's official packages. No, you are not limited to using this repository.

Any software vendor can set up an apt repository, and you can add that repository to /etc/apt/sources.list including keys for signed packages.

In the Windows version, this would mean that an installer for a third-party program could add keys and download information to an update service running on the local PC. MS would not need to be involved at all - but they would need to make an updating routine with an open interface.

Don't use Acrobat!

[crhylove]

Acrobat is like a giant virus on every machine I've run it on.

SumatraPDF is much, much faster and better.

Besides Adobe is a Fox news sponsor. Don't give them your money or your ram!!!

http://portableapps.com/de/apps/office/sumatra_pdf_portable