Adobe Chided For Insecure Acrobat Reader

The Register covers security firm Secunia calling out Adobe for its insecure distribution practices with regard to Adobe Reader. (Here is Secunia's note.) The accusation is that the way Adobe provides Reader extends the software's window of vulnerability once an exploit has begun to circulate. Version 9.1 of Reader, which is what you get when you visit the official download site, contains 10 vulnerabilities that were patched by later releases. "Adobe Systems has been taken to task for offering outdated software on its downloads page that contains dozens of security vulnerabilities, several of which are already being exploited in the wild... Visitors who obtain Adobe Reader from the company's official downloads page will find that it installs version 9.1 of the program on their computers, even though the most recent version was 9.1.2 at time of writing. That could put users at considerable peril given the number of vulnerabilities fixed in the two iterations that have come since 9.1, complains Secunia..."

What?

There's a version without vulnerabilities?

Re:What?

[Jurily]

There's a version without vulnerabilities?

Yeah, the experimental branch called Foxit Reader. I heard it's a lot faster, too.

Re:What?

[Kozz]

Gesundheit.

Huh?

[CarpetShark]

Just about every binary distribution on windows is doing something similar these days. Short of someone building a proper, open, distributed, secure package manager for windows, they're probably doing the best they can by having updates at all. It's better than having to go check the webpage for corrections.

That said, if this kind of complaint becomes more common, and all software is seen as flawed in this regard, then it'll be a great push towards proper package management on windows.

Re:Huh?

[DavidRawling]

The thing is, they (Secunia) have a point. Why are Adobe offering the old version, and requiring updates post-installation, for a version that is known to have serious issues.

Let's face it, people install it because they want to view the PDF file they've just received, or downloaded. They're not going to be conscientious about updates because they just downloaded it and they expect it to be up to date. Let's not forget that plugins have pretty much always worked that way (eg Flash).

Re:Huh?

[rysiek]

The problem is not that there is no package manager, automagically updating the packages; the problem is, on Adobe Reader's official download page there is an outdated version featured. So everybody that get's directed to that page through google search or whatever, dowanloads and installs an unpatched, vulnerable and exploitable version. Cheers

Re:Huh?

[MichaelSmith]

If Adobe didn't want to continually change the released version they could change the installer once to check for new versions.

Re:Huh?

[bheer]

Indeed. And given that Windows Update already exists, and given that Microsoft is antitrust-law bound to allow everyone equal access to Windows, why not open up Windows Update to allow it to update all your apps? Microsoft Update (an extension to Windows Update) already updates things like Office, .net, silverlight, etc. So why not publish a white paper on how to get your app included in Windows Update in a fair, non-discriminatory manner?

(Alternatively, folk could band around the open-source GoogleUpdate backend. These days it doesn't even run all the time.)

I for one would love to see the end of lots of different *update.exe apps running on the average user's computer.

Re:Huh?

[hairyfeet]

As a PC repairman I hate to break the news to y'all, but home users never update the damned PC. you could give them Apt and it would be just one more update they don't actually use. I have had machine come across my desk with 4+ year old copies of Norton AV (expired of course) and not a single update applied since it left the factory. That is just SOP for a good 90% of home users.

That is why my customers love me so much, because my motto is "do the thinking so they don't have to". So not only do I use Autopatcher to install all the current updates and have the latest service packs as well as set autoupdate for the OS, but I install Foxit set to autoupdate, have Spybot scheduled to autoupdate and scan, install Comodo AV/Firewall and have it set to scan on the customers schedule, install Firefox and set it to be the default browser, install the latest Flash and Shockwave and Java as well as Klite Mega codec pack so I don't have to worry about them downloading dodgy codecs, and finally install VLC Player which autoupdates and have it set as default video player.

While I don't get the return business of those that just reinstall and hand it to the customer to bone again I make up for that in referrals. But thinking something like Apt would be a silver bullet for home users is strictly a fantasy. First it would have to be run by MSFT to incorporate the Windows patches as well as third party updates, which would lead to vendors screaming and probably an antitrust investigation and I'm sure the EU would find a reason to have a shitfit, but then MSFT would get to deal with 3 or 4 years worth of lawsuits when they refuse to "provide" the myriad of programs that insist on installing toolbars or unrelated programs, like Java (toolbar) or iTunes (unrelated Safari and Quicktime).

So while having a central repository works for Linux, it simply would never work for Windows. Between trialware, crapware, toolbar installers, and unrelated installers you would either make it a one stop shop for crap which means the users would never allow it to run, or MSFT would spend the next decade in court for refusing to allow crapware into the repository. So sorry, it just wouldn't work.

Re:Huh?

[jgrahn]

But thinking something like Apt would be a silver bullet for home users is strictly a fantasy. First it would have to be run by MSFT to incorporate the Windows patches as well as third party updates, which would lead to vendors screaming and probably an antitrust investigation and I'm sure the EU would find a reason to have a shitfit, but then MSFT would get to deal with 3 or 4 years worth of lawsuits when they refuse to "provide" the myriad of programs that insist on installing toolbars or unrelated programs, like Java (toolbar) or iTunes (unrelated Safari and Quicktime).

So while having a central repository works for Linux, it simply would never work for Windows. Between trialware, crapware, toolbar installers, and unrelated installers you would either make it a one stop shop for crap which means the users would never allow it to run, or MSFT would spend the next decade in court for refusing to allow crapware into the repository. So sorry, it just wouldn't work.

How about a standard place in Windows where a newly installed program could register itself? Like, "I am FooBar version 69, and updates to me will be available at http://foobar.org/blah and signed with this public key". Then you could have a machine-global Update Everything button go through them and do updates as needed. Doesn't solve dependency trackning though.

(Not that I care -- it's the Windows users' problems, not mine.)

Re:Huh?

[commodore64_love]

"Hello. I am SpyBot version 42, and updates to me will be available at http://nigeriaisafunplacetosteal.com/ and signed with this public key."

There has to be some oversight from Microsoft to prevent this from happening, and we know from Apple's iPhone approval/disapproval process how well that does Not work.

Re:Huh?

[arndawg]

MSFT would spend the next decade in court for refusing to allow crapware into the repository. So sorry, it just wouldn't work.

Must.. resist... urge... to... make... joke... about... MS.. and.. courts... and... crapware

Must... try.... to.....make.....up ..something....funny...but...i'm..not..able...to...so..i'll..just ...pretend ...that... i ...dont... want.. to..

Rewarding incompetence

[mr_stark]

Dont use Acrobat... There are several alternatives available all less bloated:

GPL'd PDF reader: http://blog.kowalczyk.info/software/sumatrapdf/index.html

Commercial: http://www.foxitsoftware.com/pdf/reader/

Re:Rewarding incompetence

[bheer]

Unfortunately, it isn't that simple. Many of the alternatives lack key features that make it difficult for many users.

IIRC there are some kinds of PDF Forms which still cause problems in Foxit Reader. Also, because Foxit doesn't have CoolType and Adobe does, PS/OpenType fonts which are not specifically hinted for the screen (and are used by many design shops) look *much* better on Adobe reader than Foxit, making it invaluable for pre-publishing previews.

Also, specifically for Foxit -- it has its own share of vulnerabilities.

Re:Who the heck still uses Acrobat Reader?

[IBBoard]

How many websites have you seen that say "here's a PDF of a document - you'll need to download Adobe Reader [insert link] if you want to view it" and how many say "here's a PDF of a document - you'll need to download a PDF reader such as Adobe Reader [insert link], Foxit [insert link], ... if you want to view it"? Most commercial sites that distribute PDFs recommend Adobe, and if you're not a techy then you'll assume that Adobe is all you can use. Why do you think so many people used IE6 when Firefox and Opera were available?

Re:Who the heck still uses Acrobat Reader?

[Norsefire]

Who the heck still uses Acrobat Reader?

Anyone who needs to do more with a PDF than simply read it.

Google docs

[beadwindow]

google docs opens pdf's

Why should a 'reader' be a security issue anyway?

[dtjohnson]

Adobe began using javascript in their reader beginning with v7 and that has opened up this whole new world of security issues. Wouldn't it be better if the 'reader' just rendered a static file and didn't run embedded script?