Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Chided For Insecure Acrobat Reader

Posted by kdawson on from the old-skool-distribution dept.

The Register covers security firm Secunia calling out Adobe for its insecure distribution practices with regard to Adobe Reader. (Here is Secunia's note.) The accusation is that the way Adobe provides Reader extends the software's window of vulnerability once an exploit has begun to circulate. Version 9.1 of Reader, which is what you get when you visit the official download site, contains 10 vulnerabilities that were patched by later releases. "Adobe Systems has been taken to task for offering outdated software on its downloads page that contains dozens of security vulnerabilities, several of which are already being exploited in the wild... Visitors who obtain Adobe Reader from the company's official downloads page will find that it installs version 9.1 of the program on their computers, even though the most recent version was 9.1.2 at time of writing. That could put users at considerable peril given the number of vulnerabilities fixed in the two iterations that have come since 9.1, complains Secunia..."

7 of 179 comments (clear)

  1. What? by Anonymous Coward · · Score: 5, Funny

    There's a version without vulnerabilities?

  2. Re:Huh? by DavidRawling · · Score: 5, Insightful

    The thing is, they (Secunia) have a point. Why are Adobe offering the old version, and requiring updates post-installation, for a version that is known to have serious issues.

    Let's face it, people install it because they want to view the PDF file they've just received, or downloaded. They're not going to be conscientious about updates because they just downloaded it and they expect it to be up to date. Let's not forget that plugins have pretty much always worked that way (eg Flash).

  3. Re:Huh? by rysiek · · Score: 5, Insightful

    The problem is not that there is no package manager, automagically updating the packages; the problem is, on Adobe Reader's official download page there is an outdated version featured. So everybody that get's directed to that page through google search or whatever, dowanloads and installs an unpatched, vulnerable and exploitable version. Cheers

  4. Re:Huh? by MichaelSmith · · Score: 5, Insightful

    If Adobe didn't want to continually change the released version they could change the installer once to check for new versions.

    --
    http://michaelsmith.id.au
  5. Rewarding incompetence by mr_stark · · Score: 5, Informative

    Dont use Acrobat... There are several alternatives available all less bloated:

    GPL'd PDF reader: http://blog.kowalczyk.info/software/sumatrapdf/index.html

    Commercial: http://www.foxitsoftware.com/pdf/reader/

    --
    I can't think of anything witty right now
    1. Re:Rewarding incompetence by bheer · · Score: 5, Informative

      Unfortunately, it isn't that simple. Many of the alternatives lack key features that make it difficult for many users.

      IIRC there are some kinds of PDF Forms which still cause problems in Foxit Reader. Also, because Foxit doesn't have CoolType and Adobe does, PS/OpenType fonts which are not specifically hinted for the screen (and are used by many design shops) look *much* better on Adobe reader than Foxit, making it invaluable for pre-publishing previews.

      Also, specifically for Foxit -- it has its own share of vulnerabilities.

      --
      Go somewhere random
  6. Re:Huh? by hairyfeet · · Score: 5, Interesting

    As a PC repairman I hate to break the news to y'all, but home users never update the damned PC. you could give them Apt and it would be just one more update they don't actually use. I have had machine come across my desk with 4+ year old copies of Norton AV (expired of course) and not a single update applied since it left the factory. That is just SOP for a good 90% of home users.

    That is why my customers love me so much, because my motto is "do the thinking so they don't have to". So not only do I use Autopatcher to install all the current updates and have the latest service packs as well as set autoupdate for the OS, but I install Foxit set to autoupdate, have Spybot scheduled to autoupdate and scan, install Comodo AV/Firewall and have it set to scan on the customers schedule, install Firefox and set it to be the default browser, install the latest Flash and Shockwave and Java as well as Klite Mega codec pack so I don't have to worry about them downloading dodgy codecs, and finally install VLC Player which autoupdates and have it set as default video player.

    While I don't get the return business of those that just reinstall and hand it to the customer to bone again I make up for that in referrals. But thinking something like Apt would be a silver bullet for home users is strictly a fantasy. First it would have to be run by MSFT to incorporate the Windows patches as well as third party updates, which would lead to vendors screaming and probably an antitrust investigation and I'm sure the EU would find a reason to have a shitfit, but then MSFT would get to deal with 3 or 4 years worth of lawsuits when they refuse to "provide" the myriad of programs that insist on installing toolbars or unrelated programs, like Java (toolbar) or iTunes (unrelated Safari and Quicktime).

    So while having a central repository works for Linux, it simply would never work for Windows. Between trialware, crapware, toolbar installers, and unrelated installers you would either make it a one stop shop for crap which means the users would never allow it to run, or MSFT would spend the next decade in court for refusing to allow crapware into the repository. So sorry, it just wouldn't work.

    --
    ACs don't waste your time replying, your posts are never seen by me.