Adobe Chided For Insecure Acrobat Reader

The Register covers security firm Secunia calling out Adobe for its insecure distribution practices with regard to Adobe Reader. (Here is Secunia's note.) The accusation is that the way Adobe provides Reader extends the software's window of vulnerability once an exploit has begun to circulate. Version 9.1 of Reader, which is what you get when you visit the official download site, contains 10 vulnerabilities that were patched by later releases. "Adobe Systems has been taken to task for offering outdated software on its downloads page that contains dozens of security vulnerabilities, several of which are already being exploited in the wild... Visitors who obtain Adobe Reader from the company's official downloads page will find that it installs version 9.1 of the program on their computers, even though the most recent version was 9.1.2 at time of writing. That could put users at considerable peril given the number of vulnerabilities fixed in the two iterations that have come since 9.1, complains Secunia..."

Adobe Reader has always been bad for this.

[BikeHelmet]

Adobe Reader has always been bad for this - even back when it was called Acrobat Reader.

Aside from having dozens of different versions installed - whatever version you installed was always out of date, unless you started it up(which took ages), and clicked the Check for Updates button. Then it'd tell you you're out of date. You download an update, it restarts, and then you do it again... and it downloads another update. It installs the update, and restarts, and then you do it a third time to check for another update.

After all, jumping from 8.1 to 8.1.3 is much too large of an increment. Each version must be applied incrementally, and it's completely illogical to download every required update at the same time.

Ahh... the fond memories! It takes me right back. Now I remember their artificially slow installers, that did nothing for minutes on end just because of your OS. Such pleasant times!

Re:Huh?

[bheer]

Indeed. And given that Windows Update already exists, and given that Microsoft is antitrust-law bound to allow everyone equal access to Windows, why not open up Windows Update to allow it to update all your apps? Microsoft Update (an extension to Windows Update) already updates things like Office, .net, silverlight, etc. So why not publish a white paper on how to get your app included in Windows Update in a fair, non-discriminatory manner?

(Alternatively, folk could band around the open-source GoogleUpdate backend. These days it doesn't even run all the time [blogspot.com].)

I for one would love to see the end of lots of different *update.exe apps running on the average user's computer.

Re:Adobe Reader has always been bad for this.

[bheer]

That's bothered the heck out of me too! It's almost like Adobe doesn't have a clue about doing proper updates. They should really pay some guys from Mozilla to come and teach 'em. Say what you like about Firefox, it was the first Windows product I've used which devoted a good deal of engineering thought to making updates easy.

Re:Huh?

[Spit]

All they can? Are you fucking serious? How about not coding such shitty software in the first place, for starters.

Re:Huh?

[jonwil]

I have the following updaters running on my system:
Miranda IM (built into the program and just opens the URL to the new full-installer in the default browser)
AVG (built into the resident parts of the program)
Acrobat Reader Updater
Sun Java Updater
Microsoft Update (set to not download automatically since I prefer to have choice in which updates I install)
various games (most of which check for updates when I connect to the online bit)

Conversely, there are programs I wish DID have automatic updaters:
SeaMonkey (my copy of 1.1.x doesn't seem to have one)
Nvidia Display Drivers (the only way to go seems to be manual download or via some widget that SM1.1.x doesn't support)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Google docs

[beadwindow]

google docs opens pdf's

Re:Huh?

[bheer]

Indeed, that is exactly what the IE7 and IE8 installers do. So even if someone burnt an old version of IE7/8 to CD and distributed it with a magazine, anyone installing it with a net connection would automatically get updates.

Re:Huh?

[jgrahn]

But thinking something like Apt would be a silver bullet for home users is strictly a fantasy. First it would have to be run by MSFT to incorporate the Windows patches as well as third party updates, which would lead to vendors screaming and probably an antitrust investigation and I'm sure the EU would find a reason to have a shitfit, but then MSFT would get to deal with 3 or 4 years worth of lawsuits when they refuse to "provide" the myriad of programs that insist on installing toolbars or unrelated programs, like Java (toolbar) or iTunes (unrelated Safari and Quicktime).

So while having a central repository works for Linux, it simply would never work for Windows. Between trialware, crapware, toolbar installers, and unrelated installers you would either make it a one stop shop for crap which means the users would never allow it to run, or MSFT would spend the next decade in court for refusing to allow crapware into the repository. So sorry, it just wouldn't work.

How about a standard place in Windows where a newly installed program could register itself? Like, "I am FooBar version 69, and updates to me will be available at http://foobar.org/blah [foobar.org] and signed with this public key". Then you could have a machine-global Update Everything button go through them and do updates as needed. Doesn't solve dependency trackning though.

(Not that I care -- it's the Windows users' problems, not mine.)

Re:What?

[Anonymous Coward]

Foxit is not failproof. One of my clients uses very, very detailed files in PDF showing many, many, many lines, shapes, squares and polygons (they're commercial real estate site plans). Foxit simply runs out of steam when rendering these and quits.

Or it takes 55 minutes to print a 35 page PDF...

Whereas Adobe 8 (or 9) will print / render the same in about ... 10 seconds