Adobe Chided For Insecure Acrobat Reader

← Back to Stories (view on slashdot.org)

Adobe Chided For Insecure Acrobat Reader

Posted by kdawson on Tuesday July 21, 2009 @09:06PM from the old-skool-distribution dept.

The Register covers security firm Secunia calling out Adobe for its insecure distribution practices with regard to Adobe Reader. (Here is Secunia's note.) The accusation is that the way Adobe provides Reader extends the software's window of vulnerability once an exploit has begun to circulate. Version 9.1 of Reader, which is what you get when you visit the official download site, contains 10 vulnerabilities that were patched by later releases. "Adobe Systems has been taken to task for offering outdated software on its downloads page that contains dozens of security vulnerabilities, several of which are already being exploited in the wild... Visitors who obtain Adobe Reader from the company's official downloads page will find that it installs version 9.1 of the program on their computers, even though the most recent version was 9.1.2 at time of writing. That could put users at considerable peril given the number of vulnerabilities fixed in the two iterations that have come since 9.1, complains Secunia..."

36 of 179 comments (clear)

What? by Anonymous Coward · 2009-07-21 21:16 · Score: 5, Funny

There's a version without vulnerabilities?
1. Re:What? by Jurily · 2009-07-21 23:13 · Score: 4, Funny
  
  There's a version without vulnerabilities?
  Yeah, the experimental branch called Foxit Reader. I heard it's a lot faster, too.
2. Re:What? by Kozz · 2009-07-22 00:39 · Score: 3, Funny
  
  Gesundheit.
  
  --
  I only post comments when someone on the internet is wrong.
3. Re:What? by dasherjan · 2009-07-22 02:03 · Score: 2, Insightful
  
  I never understood why a simple PDF reader needs to have enough access to a system that the vulnerabilities that are in the Adobe Reader could even exist. Of course I only use a PDF reader to actually read the file. I guess there are some âoesuper eliteâ things to do with Adobe Reader that I have no clue about.
4. Re:What? by Anonymous Coward · 2009-07-22 04:11 · Score: 2, Interesting
  
  Foxit is not failproof. One of my clients uses very, very detailed files in PDF showing many, many, many lines, shapes, squares and polygons (they're commercial real estate site plans). Foxit simply runs out of steam when rendering these and quits.
  Or it takes 55 minutes to print a 35 page PDF...
  Whereas Adobe 8 (or 9) will print / render the same in about ... 10 seconds
Huh? by CarpetShark · 2009-07-21 21:17 · Score: 4, Insightful

Just about every binary distribution on windows is doing something similar these days. Short of someone building a proper, open, distributed, secure package manager for windows, they're probably doing the best they can by having updates at all. It's better than having to go check the webpage for corrections.
That said, if this kind of complaint becomes more common, and all software is seen as flawed in this regard, then it'll be a great push towards proper package management on windows.
1. Re:Huh? by moon3 · 2009-07-21 21:32 · Score: 2, Insightful
  
  proper, open, distributed, secure package manager for windows
  
  I still very much prefer the Internet to be the download system for Windows applications, where authors have control and choice over their distribution channels.
2. Re:Huh? by DavidRawling · 2009-07-21 21:33 · Score: 5, Insightful
  
  The thing is, they (Secunia) have a point. Why are Adobe offering the old version, and requiring updates post-installation, for a version that is known to have serious issues.
  Let's face it, people install it because they want to view the PDF file they've just received, or downloaded. They're not going to be conscientious about updates because they just downloaded it and they expect it to be up to date. Let's not forget that plugins have pretty much always worked that way (eg Flash).
3. Re:Huh? by rysiek · 2009-07-21 21:33 · Score: 5, Insightful
  
  The problem is not that there is no package manager, automagically updating the packages; the problem is, on Adobe Reader's official download page there is an outdated version featured. So everybody that get's directed to that page through google search or whatever, dowanloads and installs an unpatched, vulnerable and exploitable version. Cheers
4. Re:Huh? by MichaelSmith · 2009-07-21 21:46 · Score: 5, Insightful
  
  If Adobe didn't want to continually change the released version they could change the installer once to check for new versions.
  
  --
  http://michaelsmith.id.au
5. Re:Huh? by bheer · 2009-07-21 21:48 · Score: 4, Interesting
  
  Indeed. And given that Windows Update already exists, and given that Microsoft is antitrust-law bound to allow everyone equal access to Windows, why not open up Windows Update to allow it to update all your apps? Microsoft Update (an extension to Windows Update) already updates things like Office, .net, silverlight, etc. So why not publish a white paper on how to get your app included in Windows Update in a fair, non-discriminatory manner?
  (Alternatively, folk could band around the open-source GoogleUpdate backend. These days it doesn't even run all the time.)
  I for one would love to see the end of lots of different *update.exe apps running on the average user's computer.
  
  --
  Go somewhere random
6. Re:Huh? by Spit · 2009-07-21 22:11 · Score: 2, Interesting
  
  All they can? Are you fucking serious? How about not coding such shitty software in the first place, for starters.
  
  --
  POKE 36879,8
7. Re:Huh? by Spit · 2009-07-21 22:17 · Score: 2, Informative
  
  Ubuntu installer will download all the patches before rebooting to the installed system.
  
  --
  POKE 36879,8
8. Re:Huh? by jonwil · 2009-07-21 22:17 · Score: 2, Interesting
  
  I have the following updaters running on my system:
  Miranda IM (built into the program and just opens the URL to the new full-installer in the default browser)
  AVG (built into the resident parts of the program)
  Acrobat Reader Updater
  Sun Java Updater
  Microsoft Update (set to not download automatically since I prefer to have choice in which updates I install)
  various games (most of which check for updates when I connect to the online bit)
  Conversely, there are programs I wish DID have automatic updaters:
  SeaMonkey (my copy of 1.1.x doesn't seem to have one)
  Nvidia Display Drivers (the only way to go seems to be manual download or via some widget that SM1.1.x doesn't support)
9. Re:Huh? by hairyfeet · 2009-07-21 23:10 · Score: 5, Interesting
  
  As a PC repairman I hate to break the news to y'all, but home users never update the damned PC. you could give them Apt and it would be just one more update they don't actually use. I have had machine come across my desk with 4+ year old copies of Norton AV (expired of course) and not a single update applied since it left the factory. That is just SOP for a good 90% of home users.
  That is why my customers love me so much, because my motto is "do the thinking so they don't have to". So not only do I use Autopatcher to install all the current updates and have the latest service packs as well as set autoupdate for the OS, but I install Foxit set to autoupdate, have Spybot scheduled to autoupdate and scan, install Comodo AV/Firewall and have it set to scan on the customers schedule, install Firefox and set it to be the default browser, install the latest Flash and Shockwave and Java as well as Klite Mega codec pack so I don't have to worry about them downloading dodgy codecs, and finally install VLC Player which autoupdates and have it set as default video player.
  While I don't get the return business of those that just reinstall and hand it to the customer to bone again I make up for that in referrals. But thinking something like Apt would be a silver bullet for home users is strictly a fantasy. First it would have to be run by MSFT to incorporate the Windows patches as well as third party updates, which would lead to vendors screaming and probably an antitrust investigation and I'm sure the EU would find a reason to have a shitfit, but then MSFT would get to deal with 3 or 4 years worth of lawsuits when they refuse to "provide" the myriad of programs that insist on installing toolbars or unrelated programs, like Java (toolbar) or iTunes (unrelated Safari and Quicktime).
  So while having a central repository works for Linux, it simply would never work for Windows. Between trialware, crapware, toolbar installers, and unrelated installers you would either make it a one stop shop for crap which means the users would never allow it to run, or MSFT would spend the next decade in court for refusing to allow crapware into the repository. So sorry, it just wouldn't work.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
10. Re:Huh? by bheer · 2009-07-21 23:20 · Score: 2, Interesting
  
  Indeed, that is exactly what the IE7 and IE8 installers do. So even if someone burnt an old version of IE7/8 to CD and distributed it with a magazine, anyone installing it with a net connection would automatically get updates.
  
  --
  Go somewhere random
11. Re:Huh? by jgrahn · 2009-07-21 23:41 · Score: 4, Interesting
  
  But thinking something like Apt would be a silver bullet for home users is strictly a fantasy. First it would have to be run by MSFT to incorporate the Windows patches as well as third party updates, which would lead to vendors screaming and probably an antitrust investigation and I'm sure the EU would find a reason to have a shitfit, but then MSFT would get to deal with 3 or 4 years worth of lawsuits when they refuse to "provide" the myriad of programs that insist on installing toolbars or unrelated programs, like Java (toolbar) or iTunes (unrelated Safari and Quicktime).
  So while having a central repository works for Linux, it simply would never work for Windows. Between trialware, crapware, toolbar installers, and unrelated installers you would either make it a one stop shop for crap which means the users would never allow it to run, or MSFT would spend the next decade in court for refusing to allow crapware into the repository. So sorry, it just wouldn't work.
  How about a standard place in Windows where a newly installed program could register itself? Like, "I am FooBar version 69, and updates to me will be available at http://foobar.org/blah and signed with this public key". Then you could have a machine-global Update Everything button go through them and do updates as needed. Doesn't solve dependency trackning though.
  (Not that I care -- it's the Windows users' problems, not mine.)
12. Re:Huh? by Opportunist · 2009-07-22 00:07 · Score: 2, Insightful
  
  I try to refrain from thinking too hard how to abuse this ... too late.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
13. Re:Huh? by commodore64_love · 2009-07-22 00:30 · Score: 4, Insightful
  
  "Hello. I am SpyBot version 42, and updates to me will be available at http://nigeriaisafunplacetosteal.com/ and signed with this public key."
  There has to be some oversight from Microsoft to prevent this from happening, and we know from Apple's iPhone approval/disapproval process how well that does Not work.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
14. Re:Huh? by Cid+Highwind · 2009-07-22 01:36 · Score: 2, Insightful
  
  I don't see anything wrong with the current model of having each program "phone home" and check for updates when you run it.
  
  I do. If something like Adobe Reader only checks for updates when you use it, and you rarely use pdf documents, it will sometimes fall a few versions behind. Then when you encounter a web site that embeds some pdf-exploit-of-the-week, your system gets pwnt while Reader is still waiting to hear back from the update server.
  
  Most vendors' cure for that: to install yet another goddamn advertising-laden, disk-thrashing, login-delaying updater with yet another tray icon that wants attention all the time, is sub-optimal to say the least.
  
  --
  0 1 - just my two bits
15. Re:Huh? by arndawg · 2009-07-22 01:37 · Score: 4, Funny
  
  MSFT would spend the next decade in court for refusing to allow crapware into the repository. So sorry, it just wouldn't work.
  Must.. resist... urge... to... make... joke... about... MS.. and.. courts... and... crapware
  Must... try.... to.....make.....up ..something....funny...but...i'm..not..able...to...so..i'll..just ...pretend ...that... i ...dont... want.. to..
16. Re:Huh? by commodore64_love · 2009-07-22 02:11 · Score: 2, Insightful
  
  As a hardware engineer I hate the rise of firmware. I'm used to the old paradigm where you buy a VCR or TV, and it "just works". No updates needed because it's spent several months in debugging, and arrives at your door with virtually no flaws. I've got a TV that's 30 years old and a VCR that's over 20 and a CD player that's around 15 years old. They never, ever needed an update in all that time.
  But now we have lazy folks like Sony or Toshiba putting-out Bluray or HD DVD players that require upgrading every month, else they won't play the latest movies. That's just stupid. If this trend continues the consumer will be expected to spend several hours on the 1st of each month to upgrade their TV, their DVR, their DVD/Bluray player, their Fridge, their Stove, their Microwave, their Clock, their Phone (both wired and wireless), their playstation, their xbox, and on and on and on.
  People already complain Daylight Savings Time is a hassle - this new firmware instead of hardware world will be a hundred times worse. Engineers - stop being lazy and saying "we'll fix it later". Marketers - stop setting unrealistic schedules thtat don't allow time for testing. Make it work the FIRST time without needing patches. Quality control should happen in the factory, not the consumer's living room.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Adobe Reader has always been bad for this. by BikeHelmet · 2009-07-21 21:23 · Score: 2, Interesting

Adobe Reader has always been bad for this - even back when it was called Acrobat Reader.
Aside from having dozens of different versions installed - whatever version you installed was always out of date, unless you started it up(which took ages), and clicked the Check for Updates button. Then it'd tell you you're out of date. You download an update, it restarts, and then you do it again... and it downloads another update. It installs the update, and restarts, and then you do it a third time to check for another update.
After all, jumping from 8.1 to 8.1.3 is much too large of an increment. Each version must be applied incrementally, and it's completely illogical to download every required update at the same time.
Ahh... the fond memories! It takes me right back. Now I remember their artificially slow installers, that did nothing for minutes on end just because of your OS. Such pleasant times!
1. Re:Adobe Reader has always been bad for this. by bheer · 2009-07-21 21:53 · Score: 2, Interesting
  
  That's bothered the heck out of me too! It's almost like Adobe doesn't have a clue about doing proper updates. They should really pay some guys from Mozilla to come and teach 'em. Say what you like about Firefox, it was the first Windows product I've used which devoted a good deal of engineering thought to making updates easy.
  
  --
  Go somewhere random
Rewarding incompetence by mr_stark · 2009-07-21 21:56 · Score: 5, Informative

Dont use Acrobat... There are several alternatives available all less bloated:
GPL'd PDF reader: http://blog.kowalczyk.info/software/sumatrapdf/index.html
Commercial: http://www.foxitsoftware.com/pdf/reader/

--
I can't think of anything witty right now
1. Re:Rewarding incompetence by bheer · 2009-07-21 22:23 · Score: 5, Informative
  
  Unfortunately, it isn't that simple. Many of the alternatives lack key features that make it difficult for many users.
  IIRC there are some kinds of PDF Forms which still cause problems in Foxit Reader. Also, because Foxit doesn't have CoolType and Adobe does, PS/OpenType fonts which are not specifically hinted for the screen (and are used by many design shops) look *much* better on Adobe reader than Foxit, making it invaluable for pre-publishing previews.
  Also, specifically for Foxit -- it has its own share of vulnerabilities.
  
  --
  Go somewhere random
Re:Nitpick by IBBoard · 2009-07-21 22:18 · Score: 2, Informative

Complaining that initial download contains 9.1 vs 9.1.2 is just splitting hairs.
That depends on the difference between 9.1 and 9.1.2. If the difference is a week or two (i.e. the bug fixes haven't been out long) then it's not unreasonable to have a delay updating the download (although it would obviously be better to update it as well rather than distribute known vulnerabilities). If the difference between them is several months or more then it's less excusable and they've had plenty of time to update it.
Re:Who the heck still uses Acrobat Reader? by IBBoard · 2009-07-21 22:20 · Score: 3, Insightful

How many websites have you seen that say "here's a PDF of a document - you'll need to download Adobe Reader [insert link] if you want to view it" and how many say "here's a PDF of a document - you'll need to download a PDF reader such as Adobe Reader [insert link], Foxit [insert link], ... if you want to view it"? Most commercial sites that distribute PDFs recommend Adobe, and if you're not a techy then you'll assume that Adobe is all you can use. Why do you think so many people used IE6 when Firefox and Opera were available?
Re:Downloading Adobe Bloater? by Norsefire · 2009-07-21 22:23 · Score: 2, Insightful

If all a person ever needs to do is read a document published on the web, he doesn't even NEED any features.
At least you've made the clarification. There are too many people who reckon Acrobat is bloated because they have never done anything more with a PDF than double-click the icon and read it. In the Industry I work, Acrobat is missing features that we need, which we make up by using plugins.
Re:Who the heck still uses Acrobat Reader? by Norsefire · 2009-07-21 22:27 · Score: 3, Funny

Who the heck still uses Acrobat Reader?
Anyone who needs to do more with a PDF than simply read it.
Re:Evince vs. Acrobat by L4t3r4lu5 · 2009-07-21 22:35 · Score: 2, Insightful

How about the other five listed here?I'm not running Linux, so I can't wipe your bottom for you. Maybe some research on your part would be useful?

Here, I'll save you some effort and GoogleThatForYou

--
Finally had enough. Come see us over at https://soylentnews.org/
Re:Evince vs. Acrobat by CarpetShark · 2009-07-21 22:40 · Score: 2, Insightful

Evince is pretty lacking in PDF functionality anyway. If you want to compare best of breed on each system, you should probably compare KPDF. It would still fall short of Acrobat Reader. However, I think it's silly to expect otherwise, given that Adobe set the standard AND develop the software meeting that standard in one go.
Google docs by beadwindow · 2009-07-21 23:10 · Score: 3, Interesting

google docs opens pdf's
Why should a 'reader' be a security issue anyway? by dtjohnson · 2009-07-21 23:29 · Score: 4, Insightful

Adobe began using javascript in their reader beginning with v7 and that has opened up this whole new world of security issues. Wouldn't it be better if the 'reader' just rendered a static file and didn't run embedded script?
Re:Who the heck still uses Acrobat Reader? by jonadab · 2009-07-21 23:33 · Score: 2, Funny

> How many websites have you seen that say "here's a PDF of a document -
> you'll need to download Adobe Reader [insert link] if you want to view it"

If the webmaster had ever watched an end user try to use a computer, he'd Stop Doing That.

Almost universally, the end user does not understand the above paragraph. He gets as far as the link to Acrobat Reader, clicks it (even though of course his computer already has Acrobat Reader; but he doesn't know that, because he doesn't even know what it means), and expects to immediately see the content he's looking for (even though he hasn't clicked, or even noticed, the link to the actual document; generally he thinks the download link he just clicked *is* the document). If he's lucky, at this point, the web browser downloads Yet Another Copy of the Adobe installer and puts it in the default download folder (probably the desktop, unless the computer's been worked over by a competent computer geek at some point). At this point the user has absolutely no idea why the document isn't opening, so he tries again. And again. I've never EVER seen an end user's default download folder with fewer than three copies of the Adobe installer, and six or eight is more common. Eventually, depending on what kind of person the user is, he either gives up (this is the most common outcome) or seeks help from someone he thinks is a computer expert. If he's lucky, his "computer expert" actually understands enough about computers to help him, but at least half the time it's somebody just as clueless as he is (albeit more confident), and they tell him his computer has a virus, which confirms what he suspected anyhow.

--
Cut that out, or I will ship you to Norilsk in a box.
Don't use Acrobat! by crhylove · 2009-07-22 05:36 · Score: 2, Informative

Acrobat is like a giant virus on every machine I've run it on.
SumatraPDF is much, much faster and better.
Besides Adobe is a Fox news sponsor. Don't give them your money or your ram!!!
http://portableapps.com/de/apps/office/sumatra_pdf_portable

--
I hold very few opinions. I hold information based on observation and fact. If you wish to disagree, please use facts.