Adobe Still Offering Insecure Adobe Reader Version
If you are a Ghacks regular you have without doubt noticed that Adobe has published an update for Adobe Reader and Adobe Acrobat yesterday that fixes two security vulnerabilities that affect Adobe Reader and Acrobat 9.3 and earlier.
The update that has been released updates both products to version 9.3.1. One would think that this should have been the end of the story but it apparently is not.
The rather strange thing is that Adobe is still offering Adobe Reader 9.3.0 on their official download site, the version that the two security vulnerabilities have been detected in.
If you click on Get Adobe Reader on the official Adobe homepage you notice that they still offer Adobe Reader 9.3 and not the updated Adobe Reader 9.3.1. This in turn means that users who download Adobe Reader from Adobe install a software with known security vulnerabilities.
Adobe offers the security update for Adobe Reader 9.3.0 on a separate page that is not directly linked to the pdf reader on the official download page.
It is not clear why Adobe has not released version 9.3.1 of Adobe Reader as a standalone download or why they are not including information about the security update on the official download page.
The only option users have at this point is to install Adobe Reader 9.3.0 and then the security update to patch the pdf reader to version 9.3.1.
This is far from comfortable, and will leave some systems unpatched probably as a consequence.
Update: You can download the latest version of Adobe Reader, which is version 2015.016.20039 at the time of writing, from the Adobe website. This takes care of the security issues in Adobe reader 9.3.0. Adobe as of right now is offering the latest version of Adobe Reader on the website for download.
I don’t really know if the alternative programs have security issues or not, I suppose some issues will only become apparent over time. Still, with Adobe I am annoyed that almost every other week there is another patch necessary and it feels like you are always behind the update curve.
I too have removed Adobe from all pc where I can use alternative readers.
People criticize Acrobat Reader as if no other pdf readers suffer security problems. Surely other readers that offer the same features have the same potential for security problems. I think alternative readers give a false sense of security to people.
Am not sure, but Adobe had a problem late last year (September or October time-frame), which was partially resolved with Adobe Reader 9.2, then further resolved with Adobe Reader 9.3. However, the Java interface problem (from late last year) wasn’t fixed. It is quite possible the Java interface is now OK, which would explain Adobe’s rush to issue Adobe Reader 9.3.1 prior to their regular update cycle (believe it is monthly) because it would make them look better, if I am correct in my thinking. By the way, Adobe did a quick re-issue of Flash Player 100452 at the same time, possibly for a similar reason (the Flash Player has the same number as one issued a few days earlier, but the file size is different).
Typical Adobe behavior.
Thanks for the heads up, Martin.
I do not have Adobe Reader open PDF’s in my browser
and I do not permit it to connect to the internet
all of which I presume limits risk.
I use PDF-XChange Viewer for most everything
with the one exception of some books as
Adobe still has a slight edge on
font rendering over others.
…or PDFXchange PDF viewer.
Too bad that, usualy, only tech minded people read sites like these and know about these alternatives. Average Joe ofcourse is completely unaware…
Yet another great reason to switch to Foxit pdf reader.
For some reason, Adobe refuses to prepare a full installer package. It has bee widely criticized for offering just patches in the past. And they are still doing the same thing.
Thanks. I was looking for this as some systems I do not allow on the web to auto update.
The best option is to put Adobe Reader out to pasture.