Adobe Offering Insecure Adobe Reader Version For Download, Beware
Adobe just recently released updates to their pdf reader Adobe Reader, raising its version to 9.3.3. The update fixed several security issues of which at least one was actively exploited in the wild. Computer users who visit the Adobe website might notice that Adobe is not offering that version for download, anywhere on the page.
Instead they are still offering Adobe Reader 9.3 for download, a version that has been releases in January 2010, and updated three times since then to fix security vulnerabilities of which some are used in attacks.
This opens a can of worms and raises a question, how are Adobe Reader downloaders supposed to know that the version offered is not the latest? They apparently do not get that information on the Adobe Reader download page, nor are they informed about the insecure version on startup of the pdf reader.
Adobe seems to solely rely on the Adobe Reader and Acrobat Manager, Adobearm which is configured as a startup process to launch with the operating system. This in itself is problematic depending on the computer system. Adobe ARM does not get executed before the next startup, which means that systems that run 24/7 will be insecure for that time, unless the administrator updates the program manually.
It is also inefficient if the computer user decided to block the program from being started automatically with the operating system. That's highly understandable considering that Adobe does not provide local information about the startup item. A quick search on the Internet confirms the confusion as many users thought that the process was for ARM processors only.
Lastly, users who do not allow automatic updates on their system will also be left with an insecure version of Adobe Reader.
How to update Adobe Reader
There are two possibilities to update Adobe Reader. The first is to use the Help > Check For Updates option in the program itself. That's obviously only an option if the computer is connected to the Internet as it will query Adobe servers to retrieve the latest version.
The second option is to download the patches for Adobe Reader directly from the Adobe website.
Adobe Reader 9.3.1 Windows, Mac (Intel), Mac, Unix
Adobe Reader 9.3.2 Windows, Mac (Intel), Mac, Unix
Adobe Reader 9.3.3 Windows, Mac (Intel), Mac, Unix
Product Update Pages: Windows, Mac, Unix
Do you have Adobe Reader installed on your system? If so, which version is it?
Advertisement
The fully patched adobe reader v9.3.3 will be posted on July 13, 2010. I posted on this topic in April:
http://blogs.adobe.com/asset/2010/04/an_update_on_staying_up-to-dat.html
Brad Arkin
Sr director, product security & privacy
Adobe systems
If this wasn’t enough, here is an article that makes interesting reading.
http://www.theregister.co.uk/2010/07/02/win_app_security_defences/
I just downloaded the reader last night, and as soon as it finished installing, I received notice that an update was ready, so I downloaded the one with the security hole, but it patched it before I could even use the reader, so no harm done.
Bobby then you had a resident program running in the background, maybe Adobe Download Manager or one of the other Adobe programs that are running in the background. Not everyone gets those or wants those.
Adobe does this deliberately. Because when someone installs a hacked version of an Adobe product it automatically gets locked whenever that someone runs an Adobe Update routine.
It’s their lazy way of locking our pirates :)
I highly doubt that Dante, especially since Adobe Reader is a free program :) Imagine they would be doing it like Microsoft, allowing access to security patches even if you are running a cracked version.
Adobe Reader is free. But Adobe Acrobat (that can edit PDFs) and other Adobe products are not. And since the Reader is generally needed on most machines, the very fact that Reader requires online access to update will lock out any of the hacked Adobe products on the PC. I’ve tested this out myself :)
As stated in the past, I have the licensed versions of products I use, I just like hacks to block sending out my personal info. (i.e. after installing that very cheap Windows 7 Pro that I had learned about from your site, I promptly reformatted and installed the Windows 7 BIE hack.)
The way around Adobe’s update locking out the hacks is not to run the update routines, but manually download the patches to Reader and leave out the patches to the hacks.
Adobe has always done this. It’s really annoying to download and install software just to have to update it immediately. Whether or not it’s a good thing, the Adobe Updater has been getting more aggressive so it should update the software pretty quickly after having it installed.
I wish they would serve up the latest version in the download and it looks like I’m getting my way. Starting in 2 weeks, Adobe said they’ll serve up the latest version as a download according to:
http://blogs.adobe.com/adobereader/2010/06/adobe_reader_and_acrobat_933_a.html
Yes and, cherry on the cake, I’d apply the patches in their natural order (who knows if there aren’t any back/forwards incompatibilities unless one is aware of the exact content of the problems patched ? — not me !)
I’m up to 9.3.3 at this time, but I would have thought until now that a patch included previous patch(es), that is, should have I had to reinstall Adobe Reader I would have installed the core 9.3.0 (installer) and then the patch 9.3.3, skipping patches 9.3.1 and 9.3.2 … (thanks, Martin)
Why does Adobe not recode a clean 9.3.3 installer ? Are they as lazy as Steve Jobs once pointed out ? This is a real pain.
Transcontinental, I thought about this for a while. I was not sure if the latest patch included the previous patches as well. I checked the download page and it states for Adobe Reader 9.3.3 “Note: This is update can be applied to Adobe Reader 9.3.2”. (yes the spelling error is there on the page). This suggests to me that you need to download and install all three patches to bring Adobe Reader to version 9.3.3.
No idea why they are handling it this way, it is not user friendly nor secure in my opinion.