Adobe Offering Insecure Adobe Reader Version For Download, Beware - gHacks Tech News

Adobe Offering Insecure Adobe Reader Version For Download, Beware

Adobe just recently released updates to their pdf reader Adobe Reader, raising its version to 9.3.3. The update fixed several security issues of which at least one was actively exploited in the wild. Computer users who visit the Adobe website might notice that Adobe is not offering that version for download, anywhere on the page.

Instead they are still offering Adobe Reader 9.3 for download, a version that has been releases in January 2010, and updated three times since then to fix security vulnerabilities of which some are used in attacks.

adobe reader
adobe reader

This opens a can of worms and raises a question, how are Adobe Reader downloaders supposed to know that the version offered is not the latest? They apparently do not get that information on the Adobe Reader download page, nor are they informed about the insecure version on startup of the pdf reader.

Adobe seems to solely rely on the Adobe Reader and Acrobat Manager, Adobearm which is configured as a startup process to launch with the operating system. This in itself is problematic depending on the computer system. Adobe ARM does not get executed before the next startup, which means that systems that run 24/7 will be insecure for that time, unless the administrator updates the program manually.

It is also inefficient if the computer user decided to block the program from being started automatically with the operating system. That's highly understandable considering that Adobe does not provide local information about the startup item. A quick search on the Internet confirms the confusion as many users thought that the process was for ARM processors only.

Lastly, users who do not allow automatic updates on their system will also be left with an insecure version of Adobe Reader.

How to update Adobe Reader

There are two possibilities to update Adobe Reader. The first is to use the Help > Check For Updates option in the program itself. That's obviously only an option if the computer is connected to the Internet as it will query Adobe servers to retrieve the latest version.

adobe reader update
adobe reader update

The second option is to download the patches for Adobe Reader directly from the Adobe website.

Adobe Reader 9.3.1 Windows, Mac (Intel), Mac, Unix
Adobe Reader 9.3.2 Windows, Mac (Intel), Mac, Unix
Adobe Reader 9.3.3 Windows, Mac (Intel), Mac, Unix

Product Update Pages: Windows, Mac, Unix

Do you have Adobe Reader installed on your system? If so, which version is it?

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Transcontinental said on July 3, 2010 at 11:34 am
    Reply

    I’m up to 9.3.3 at this time, but I would have thought until now that a patch included previous patch(es), that is, should have I had to reinstall Adobe Reader I would have installed the core 9.3.0 (installer) and then the patch 9.3.3, skipping patches 9.3.1 and 9.3.2 … (thanks, Martin)
    Why does Adobe not recode a clean 9.3.3 installer ? Are they as lazy as Steve Jobs once pointed out ? This is a real pain.

    1. Martin said on July 3, 2010 at 11:40 am
      Reply

      Transcontinental, I thought about this for a while. I was not sure if the latest patch included the previous patches as well. I checked the download page and it states for Adobe Reader 9.3.3 “Note: This is update can be applied to Adobe Reader 9.3.2”. (yes the spelling error is there on the page). This suggests to me that you need to download and install all three patches to bring Adobe Reader to version 9.3.3.

      No idea why they are handling it this way, it is not user friendly nor secure in my opinion.

  2. Transcontinental said on July 3, 2010 at 11:51 am
    Reply

    Yes and, cherry on the cake, I’d apply the patches in their natural order (who knows if there aren’t any back/forwards incompatibilities unless one is aware of the exact content of the problems patched ? — not me !)

  3. Jason said on July 3, 2010 at 2:25 pm
    Reply

    Adobe has always done this. It’s really annoying to download and install software just to have to update it immediately. Whether or not it’s a good thing, the Adobe Updater has been getting more aggressive so it should update the software pretty quickly after having it installed.

    I wish they would serve up the latest version in the download and it looks like I’m getting my way. Starting in 2 weeks, Adobe said they’ll serve up the latest version as a download according to:
    http://blogs.adobe.com/adobereader/2010/06/adobe_reader_and_acrobat_933_a.html

  4. DanTe said on July 3, 2010 at 5:48 pm
    Reply

    Adobe does this deliberately. Because when someone installs a hacked version of an Adobe product it automatically gets locked whenever that someone runs an Adobe Update routine.

    It’s their lazy way of locking our pirates :)

    1. Martin said on July 3, 2010 at 5:54 pm
      Reply

      I highly doubt that Dante, especially since Adobe Reader is a free program :) Imagine they would be doing it like Microsoft, allowing access to security patches even if you are running a cracked version.

      1. DanTe said on July 3, 2010 at 6:21 pm
        Reply

        Adobe Reader is free. But Adobe Acrobat (that can edit PDFs) and other Adobe products are not. And since the Reader is generally needed on most machines, the very fact that Reader requires online access to update will lock out any of the hacked Adobe products on the PC. I’ve tested this out myself :)

        As stated in the past, I have the licensed versions of products I use, I just like hacks to block sending out my personal info. (i.e. after installing that very cheap Windows 7 Pro that I had learned about from your site, I promptly reformatted and installed the Windows 7 BIE hack.)

        The way around Adobe’s update locking out the hacks is not to run the update routines, but manually download the patches to Reader and leave out the patches to the hacks.

  5. BobbyPhoenix said on July 3, 2010 at 10:40 pm
    Reply

    I just downloaded the reader last night, and as soon as it finished installing, I received notice that an update was ready, so I downloaded the one with the security hole, but it patched it before I could even use the reader, so no harm done.

    1. Martin said on July 3, 2010 at 10:51 pm
      Reply

      Bobby then you had a resident program running in the background, maybe Adobe Download Manager or one of the other Adobe programs that are running in the background. Not everyone gets those or wants those.

  6. Womble said on July 4, 2010 at 2:52 am
    Reply

    If this wasn’t enough, here is an article that makes interesting reading.

    http://www.theregister.co.uk/2010/07/02/win_app_security_defences/

  7. Brad Arkin said on July 7, 2010 at 6:32 pm
    Reply

    The fully patched adobe reader v9.3.3 will be posted on July 13, 2010. I posted on this topic in April:

    http://blogs.adobe.com/asset/2010/04/an_update_on_staying_up-to-dat.html

    Brad Arkin
    Sr director, product security & privacy
    Adobe systems

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.