Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Chided For Insecure Acrobat Reader

Posted by kdawson on from the old-skool-distribution dept.

The Register covers security firm Secunia calling out Adobe for its insecure distribution practices with regard to Adobe Reader. (Here is Secunia's note.) The accusation is that the way Adobe provides Reader extends the software's window of vulnerability once an exploit has begun to circulate. Version 9.1 of Reader, which is what you get when you visit the official download site, contains 10 vulnerabilities that were patched by later releases. "Adobe Systems has been taken to task for offering outdated software on its downloads page that contains dozens of security vulnerabilities, several of which are already being exploited in the wild... Visitors who obtain Adobe Reader from the company's official downloads page will find that it installs version 9.1 of the program on their computers, even though the most recent version was 9.1.2 at time of writing. That could put users at considerable peril given the number of vulnerabilities fixed in the two iterations that have come since 9.1, complains Secunia..."

6 of 179 comments (clear)

  1. Huh? by CarpetShark · · Score: 4, Insightful

    Just about every binary distribution on windows is doing something similar these days. Short of someone building a proper, open, distributed, secure package manager for windows, they're probably doing the best they can by having updates at all. It's better than having to go check the webpage for corrections.

    That said, if this kind of complaint becomes more common, and all software is seen as flawed in this regard, then it'll be a great push towards proper package management on windows.

    1. Re:Huh? by DavidRawling · · Score: 5, Insightful

      The thing is, they (Secunia) have a point. Why are Adobe offering the old version, and requiring updates post-installation, for a version that is known to have serious issues.

      Let's face it, people install it because they want to view the PDF file they've just received, or downloaded. They're not going to be conscientious about updates because they just downloaded it and they expect it to be up to date. Let's not forget that plugins have pretty much always worked that way (eg Flash).

    2. Re:Huh? by rysiek · · Score: 5, Insightful

      The problem is not that there is no package manager, automagically updating the packages; the problem is, on Adobe Reader's official download page there is an outdated version featured. So everybody that get's directed to that page through google search or whatever, dowanloads and installs an unpatched, vulnerable and exploitable version. Cheers

    3. Re:Huh? by MichaelSmith · · Score: 5, Insightful

      If Adobe didn't want to continually change the released version they could change the installer once to check for new versions.

      --
      http://michaelsmith.id.au
    4. Re:Huh? by commodore64_love · · Score: 4, Insightful

      "Hello. I am SpyBot version 42, and updates to me will be available at http://nigeriaisafunplacetosteal.com/ and signed with this public key."

      There has to be some oversight from Microsoft to prevent this from happening, and we know from Apple's iPhone approval/disapproval process how well that does Not work.

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
  2. Why should a 'reader' be a security issue anyway? by dtjohnson · · Score: 4, Insightful

    Adobe began using javascript in their reader beginning with v7 and that has opened up this whole new world of security issues. Wouldn't it be better if the 'reader' just rendered a static file and didn't run embedded script?