Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Chided For Insecure Acrobat Reader

Posted by kdawson on from the old-skool-distribution dept.

The Register covers security firm Secunia calling out Adobe for its insecure distribution practices with regard to Adobe Reader. (Here is Secunia's note.) The accusation is that the way Adobe provides Reader extends the software's window of vulnerability once an exploit has begun to circulate. Version 9.1 of Reader, which is what you get when you visit the official download site, contains 10 vulnerabilities that were patched by later releases. "Adobe Systems has been taken to task for offering outdated software on its downloads page that contains dozens of security vulnerabilities, several of which are already being exploited in the wild... Visitors who obtain Adobe Reader from the company's official downloads page will find that it installs version 9.1 of the program on their computers, even though the most recent version was 9.1.2 at time of writing. That could put users at considerable peril given the number of vulnerabilities fixed in the two iterations that have come since 9.1, complains Secunia..."

17 of 179 comments (clear)

  1. Huh? by CarpetShark · · Score: 4, Insightful

    Just about every binary distribution on windows is doing something similar these days. Short of someone building a proper, open, distributed, secure package manager for windows, they're probably doing the best they can by having updates at all. It's better than having to go check the webpage for corrections.

    That said, if this kind of complaint becomes more common, and all software is seen as flawed in this regard, then it'll be a great push towards proper package management on windows.

    1. Re:Huh? by moon3 · · Score: 2, Insightful

      proper, open, distributed, secure package manager for windows

      I still very much prefer the Internet to be the download system for Windows applications, where authors have control and choice over their distribution channels.

    2. Re:Huh? by DavidRawling · · Score: 5, Insightful

      The thing is, they (Secunia) have a point. Why are Adobe offering the old version, and requiring updates post-installation, for a version that is known to have serious issues.

      Let's face it, people install it because they want to view the PDF file they've just received, or downloaded. They're not going to be conscientious about updates because they just downloaded it and they expect it to be up to date. Let's not forget that plugins have pretty much always worked that way (eg Flash).

    3. Re:Huh? by rysiek · · Score: 5, Insightful

      The problem is not that there is no package manager, automagically updating the packages; the problem is, on Adobe Reader's official download page there is an outdated version featured. So everybody that get's directed to that page through google search or whatever, dowanloads and installs an unpatched, vulnerable and exploitable version. Cheers

    4. Re:Huh? by MichaelSmith · · Score: 5, Insightful

      If Adobe didn't want to continually change the released version they could change the installer once to check for new versions.

      --
      http://michaelsmith.id.au
    5. Re:Huh? by Opportunist · · Score: 2, Insightful

      I try to refrain from thinking too hard how to abuse this ... too late.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Huh? by commodore64_love · · Score: 4, Insightful

      "Hello. I am SpyBot version 42, and updates to me will be available at http://nigeriaisafunplacetosteal.com/ and signed with this public key."

      There has to be some oversight from Microsoft to prevent this from happening, and we know from Apple's iPhone approval/disapproval process how well that does Not work.

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    7. Re:Huh? by Cid+Highwind · · Score: 2, Insightful

      I don't see anything wrong with the current model of having each program "phone home" and check for updates when you run it.

      I do. If something like Adobe Reader only checks for updates when you use it, and you rarely use pdf documents, it will sometimes fall a few versions behind. Then when you encounter a web site that embeds some pdf-exploit-of-the-week, your system gets pwnt while Reader is still waiting to hear back from the update server.

      Most vendors' cure for that: to install yet another goddamn advertising-laden, disk-thrashing, login-delaying updater with yet another tray icon that wants attention all the time, is sub-optimal to say the least.

      --
      0 1 - just my two bits
    8. Re:Huh? by commodore64_love · · Score: 2, Insightful

      As a hardware engineer I hate the rise of firmware. I'm used to the old paradigm where you buy a VCR or TV, and it "just works". No updates needed because it's spent several months in debugging, and arrives at your door with virtually no flaws. I've got a TV that's 30 years old and a VCR that's over 20 and a CD player that's around 15 years old. They never, ever needed an update in all that time.

      But now we have lazy folks like Sony or Toshiba putting-out Bluray or HD DVD players that require upgrading every month, else they won't play the latest movies. That's just stupid. If this trend continues the consumer will be expected to spend several hours on the 1st of each month to upgrade their TV, their DVR, their DVD/Bluray player, their Fridge, their Stove, their Microwave, their Clock, their Phone (both wired and wireless), their playstation, their xbox, and on and on and on.

      People already complain Daylight Savings Time is a hassle - this new firmware instead of hardware world will be a hundred times worse. Engineers - stop being lazy and saying "we'll fix it later". Marketers - stop setting unrealistic schedules thtat don't allow time for testing. Make it work the FIRST time without needing patches. Quality control should happen in the factory, not the consumer's living room.

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
  2. Downloading Adobe Bloater? by Runaway1956 · · Score: 1, Insightful

    People who are downloading Adobe deserve what they get. There are PDF readers on the net that download in 1/10th the time, use less than 1/10th of the resources, run faster, with more features, and WITHOUT the vulnerabilities. Most are free for personal use, most have features that can be unlocked by upgrading, and even the upgraded version can be had for "free" through the advertising schemes. If all a person ever needs to do is read a document published on the web, he doesn't even NEED any features.

    It's been years since I installed Acrobat or Adobe reader, and I'll never install it again.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    1. Re:Downloading Adobe Bloater? by Norsefire · · Score: 2, Insightful

      If all a person ever needs to do is read a document published on the web, he doesn't even NEED any features.

      At least you've made the clarification. There are too many people who reckon Acrobat is bloated because they have never done anything more with a PDF than double-click the icon and read it. In the Industry I work, Acrobat is missing features that we need, which we make up by using plugins.

  3. Re:Who the heck still uses Acrobat Reader? by IBBoard · · Score: 3, Insightful

    How many websites have you seen that say "here's a PDF of a document - you'll need to download Adobe Reader [insert link] if you want to view it" and how many say "here's a PDF of a document - you'll need to download a PDF reader such as Adobe Reader [insert link], Foxit [insert link], ... if you want to view it"? Most commercial sites that distribute PDFs recommend Adobe, and if you're not a techy then you'll assume that Adobe is all you can use. Why do you think so many people used IE6 when Firefox and Opera were available?

  4. Re:Evince vs. Acrobat by L4t3r4lu5 · · Score: 2, Insightful

    How about the other five listed here?I'm not running Linux, so I can't wipe your bottom for you. Maybe some research on your part would be useful?

    Here, I'll save you some effort and GoogleThatForYou

    --
    Finally had enough. Come see us over at https://soylentnews.org/
  5. Re:Evince vs. Acrobat by CarpetShark · · Score: 2, Insightful

    Evince is pretty lacking in PDF functionality anyway. If you want to compare best of breed on each system, you should probably compare KPDF. It would still fall short of Acrobat Reader. However, I think it's silly to expect otherwise, given that Adobe set the standard AND develop the software meeting that standard in one go.

  6. Why should a 'reader' be a security issue anyway? by dtjohnson · · Score: 4, Insightful

    Adobe began using javascript in their reader beginning with v7 and that has opened up this whole new world of security issues. Wouldn't it be better if the 'reader' just rendered a static file and didn't run embedded script?

  7. Re:What? by dasherjan · · Score: 2, Insightful

    I never understood why a simple PDF reader needs to have enough access to a system that the vulnerabilities that are in the Adobe Reader could even exist. Of course I only use a PDF reader to actually read the file. I guess there are some âoesuper eliteâ things to do with Adobe Reader that I have no clue about.

  8. Re:What? by Anonymous Coward · · Score: 1, Insightful

    I just wish they would get their act together and write their software to have a functional update feature that doesn't require admin privileges. There is nothing they do that should require them monkeying around in the non-user part of the registry (and really they don't need to be there).

    We complained that Microsoft didn't implement proper user access controls. When they do non of the software developers bother write their software to use it (Microsoft included) and non of use turn it on because of that.