Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Software

Adobe Chided For Insecure Acrobat Reader 179

The Register covers security firm Secunia calling out Adobe for its insecure distribution practices with regard to Adobe Reader. (Here is Secunia's note.) The accusation is that the way Adobe provides Reader extends the software's window of vulnerability once an exploit has begun to circulate. Version 9.1 of Reader, which is what you get when you visit the official download site, contains 10 vulnerabilities that were patched by later releases. "Adobe Systems has been taken to task for offering outdated software on its downloads page that contains dozens of security vulnerabilities, several of which are already being exploited in the wild... Visitors who obtain Adobe Reader from the company's official downloads page will find that it installs version 9.1 of the program on their computers, even though the most recent version was 9.1.2 at time of writing. That could put users at considerable peril given the number of vulnerabilities fixed in the two iterations that have come since 9.1, complains Secunia..."
This discussion has been archived. No new comments can be posted.

Adobe Chided For Insecure Acrobat Reader

Comments Filter:
  • What? (Score:5, Funny)

    by Anonymous Coward on Wednesday July 22, 2009 @04:16AM (#28779447)

    There's a version without vulnerabilities?

    • Re:What? (Score:5, Funny)

      by Jurily ( 900488 ) <jurily AT gmail DOT com> on Wednesday July 22, 2009 @06:13AM (#28779821)

      There's a version without vulnerabilities?

      Yeah, the experimental branch called Foxit Reader. I heard it's a lot faster, too.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Foxit is not failproof. One of my clients uses very, very detailed files in PDF showing many, many, many lines, shapes, squares and polygons (they're commercial real estate site plans). Foxit simply runs out of steam when rendering these and quits.

        Or it takes 55 minutes to print a 35 page PDF...

        Whereas Adobe 8 (or 9) will print / render the same in about ... 10 seconds

    • Re: (Score:2, Insightful)

      by dasherjan ( 1485895 )

      I never understood why a simple PDF reader needs to have enough access to a system that the vulnerabilities that are in the Adobe Reader could even exist. Of course I only use a PDF reader to actually read the file. I guess there are some âoesuper eliteâ things to do with Adobe Reader that I have no clue about.

      • I guess there are some "super elite" things to do with Adobe Reader that I have no clue about.

        No there aren't. Adobe's just continuing its tradition of producing bloatware.

        - Guy who works with PDFs a lot and recommends Foxit Reader.

  • Huh? (Score:5, Insightful)

    by CarpetShark ( 865376 ) on Wednesday July 22, 2009 @04:17AM (#28779449)

    Just about every binary distribution on windows is doing something similar these days. Short of someone building a proper, open, distributed, secure package manager for windows, they're probably doing the best they can by having updates at all. It's better than having to go check the webpage for corrections.

    That said, if this kind of complaint becomes more common, and all software is seen as flawed in this regard, then it'll be a great push towards proper package management on windows.

    • Re: (Score:3, Insightful)

      by moon3 ( 1530265 )
      proper, open, distributed, secure package manager for windows

      I still very much prefer the Internet to be the download system for Windows applications, where authors have control and choice over their distribution channels.
      • His suggestion by no means precludes your desire. Take APT+synaptic (or whatever GUI frontent you like, or just the command line if you want.), for instance. nice centralized way to get and update programs. But if you want to host .deb files on your own site and not deal with repositories, that works fine too.

        • Comment removed (Score:5, Interesting)

          by account_deleted ( 4530225 ) on Wednesday July 22, 2009 @06:10AM (#28779801)
          Comment removed based on user account deletion
          • Re:Huh? (Score:5, Interesting)

            by jgrahn ( 181062 ) on Wednesday July 22, 2009 @06:41AM (#28779933)

            But thinking something like Apt would be a silver bullet for home users is strictly a fantasy. First it would have to be run by MSFT to incorporate the Windows patches as well as third party updates, which would lead to vendors screaming and probably an antitrust investigation and I'm sure the EU would find a reason to have a shitfit, but then MSFT would get to deal with 3 or 4 years worth of lawsuits when they refuse to "provide" the myriad of programs that insist on installing toolbars or unrelated programs, like Java (toolbar) or iTunes (unrelated Safari and Quicktime).

            So while having a central repository works for Linux, it simply would never work for Windows. Between trialware, crapware, toolbar installers, and unrelated installers you would either make it a one stop shop for crap which means the users would never allow it to run, or MSFT would spend the next decade in court for refusing to allow crapware into the repository. So sorry, it just wouldn't work.

            How about a standard place in Windows where a newly installed program could register itself? Like, "I am FooBar version 69, and updates to me will be available at http://foobar.org/blah [foobar.org] and signed with this public key". Then you could have a machine-global Update Everything button go through them and do updates as needed. Doesn't solve dependency trackning though.

            (Not that I care -- it's the Windows users' problems, not mine.)

            • Re: (Score:3, Insightful)

              by Opportunist ( 166417 )

              I try to refrain from thinking too hard how to abuse this ... too late.

            • Re:Huh? (Score:5, Insightful)

              by commodore64_love ( 1445365 ) on Wednesday July 22, 2009 @07:30AM (#28780227) Journal

              "Hello. I am SpyBot version 42, and updates to me will be available at http://nigeriaisafunplacetosteal.com/ [nigeriaisa...osteal.com] and signed with this public key."

              There has to be some oversight from Microsoft to prevent this from happening, and we know from Apple's iPhone approval/disapproval process how well that does Not work.

              • Whats wrong with the iPhone approval processes? Just because you saw some twit blog about it doesn't make it true.

                They have like 50k apps in bearly over a year. You know what, you are right, the process is failing miserably because a few douchebags with some app that Apple didn't want included have big mouths and have been picked up by some blog.

                If the App Store is done 'wrong' or 'bad' then I pray to god that I can elevate my own business to the 'wrong' or 'bad' stage, I'll be rich bitch.

            • (Not that I care -- it's the Windows users' problems, not mine.)

              Well, if I were you, I'd care as these Windows users who don't update are running the botnets that end up putting spam in yours and my inboxes...

          • Re: (Score:2, Informative)

            by Gnavpot ( 708731 )

            But thinking something like Apt would be a silver bullet for home users is strictly a fantasy. First it would have to be run by MSFT to incorporate the Windows patches as well as third party updates, which would lead to vendors screaming and probably an antitrust investigation
            [...]
            So while having a central repository works for Linux, it simply would never work for Windows.

            It is obvious that your statement is based on a lack of knowledge of apt.

            Apt does not depend on a central repository. Yes, there is a cen

            • I was going to post this same thing. Also, if they make it like regular Automatic Updates, it would do the checking, downloading, and installing on its own. In fact, you can adjust it so it only checks and informs you of updates if you are paranoid, or checks and downloads but not installs if you don't want to be annoyed by the "You need to reboot NOW!" messages every 5 minutes while you are in the middle of working. All Microsoft would need to do would be to open up the protocols for the update server and

              • Comment removed based on user account deletion
                • I grant that MS would need to walk on eggshells here to prevent even more lawsuits, but I can't see how it wouldn open the door to malware any more than any other update mechanism for Windows. Not doing something just because it is possible (not even that it increases the risk) for it to be exploited would mean nothing would ever get done.

                  As for toolbars, they should stick with the current MSI/MSP model. When you install using an MSI file, there is normally a section asking what sections of the application

                • by Gnavpot ( 708731 )

                  And how long before every piece of malware on the planet exploited it

                  If a piece of malware can exploit an auto update service, that malware is already running. And not just running - it is running with administrator privileges.

                  If you have malware running on your system with administrator privileges, you have already lost. If that malware wants to download and install more malware, it can do so very easily. It certainly doesn't need an auto update service to accomplish that.

          • >>>As a PC repairman I hate to break the news to y'all, but home users never update the damned PC. you could give them Apt and it would be just one more update they don't actually use.

            I don't update my PC.

            It's because I no longer trust y'all.

            Too many times I've installed updates from Mickeysoft or Exploder or various Firepox Addons (think noscript), only to discover the latest update was, itself, broken. i.e. My computer stopped doing what it used to do. Why would I want to accept revisions of s

            • There was a time when we didn't have the internet and software shipped on floppies or CDs, so programmers were expected to get the software working 100% out the door. No second chances. i.e. The same constraints we hardware engineers have to deal with - get it right out the door.

              Broken releases that need to be updated in the first couple days out are definitely problematic, as are regressive patches, but the "good old days" when people weren't expected to have internet connections to update stuff still had

              • Re: (Score:3, Insightful)

                As a hardware engineer I hate the rise of firmware. I'm used to the old paradigm where you buy a VCR or TV, and it "just works". No updates needed because it's spent several months in debugging, and arrives at your door with virtually no flaws. I've got a TV that's 30 years old and a VCR that's over 20 and a CD player that's around 15 years old. They never, ever needed an update in all that time.

                But now we have lazy folks like Sony or Toshiba putting-out Bluray or HD DVD players that require upgrading

                • P.S.

                  I think the next time I encounter a "this movie (or game) won't play without firmware upgrade" error, I'll just pretend to be your typical ignorant consumer, and call Sony for help. If they're going to waste my time with monthly upgrades, then I'm going to waste their money with expensive telemarketing calls each time it happens.

                  Maybe it will drive them to get it right the first time, eliminate consumer callins, and thereby cut costs.

                • by sgtrock ( 191182 )

                  But now we have lazy folks like Sony or Toshiba putting-out Bluray or HD DVD players that require upgrading every month, else they won't play the latest movies.

                  That's just DRM working as designed. It's a feature! Ain't it great?

                  That's just stupid.

                  I couldn't agree more.

                  However, the rest of your concerns don't really fit all that well. We live in a world that is orders of magnitude more complex than what we grew up in. Much (most? virtually all?) of that complexity is due to features provided through s

                • The level of complexity involved in something like a bog-standard CD player as compared to a Bluray player is a world of difference.
                  A CD player needs to load a tray, see if there's a disc in it that it recognises and play back red book audio. If you're lucky, the engineers will have implemented a shuffle and a track programming mode. This is pretty basic stuff and can be done with a simple microcontroller.

                  A Bluray player on the other hand is a full-blown computer, it has it's own operating environment, has

          • by bberens ( 965711 )
            I have a cron job running on my linux machine which gets the latest version of everything every night at 2am, so I'm virtually always on the latest version available. Instead of having one updater tool for each application, having one updater tool that looks for updates to hundreds of potential apps you may want to install would be a much better use of resources on my PC. And the default installation setting for this Windows tool should be "auto-update once per week" or something.
          • by hurfy ( 735314 )

            Even if they want to they would have to try pretty hard to update some of it. 2nd computer has Acrobat reader 7 on it. If you click check for updates it gives me some language pack. Umm...no mention of the other 20 versions between 7.0 and now! Like someone else mentioned, it is entirely possible to accidentally get an old version installed along with something else. Joe Sixpack certainly is not going research what version it should be if the update button can't be bothered to figure it out.

        • Package managers? APT+synaptic?

          I wish I knew what ye were talking about. (shrug). I don't see anything wrong with the current model of having each program "phone home" and check for updates when you run it.

          • Re: (Score:3, Insightful)

            by Cid Highwind ( 9258 )
            I don't see anything wrong with the current model of having each program "phone home" and check for updates when you run it.

            I do. If something like Adobe Reader only checks for updates when you use it, and you rarely use pdf documents, it will sometimes fall a few versions behind. Then when you encounter a web site that embeds some pdf-exploit-of-the-week, your system gets pwnt while Reader is still waiting to hear back from the update server.

            Most vendors' cure for that: to install yet another godda
    • Re:Huh? (Score:5, Insightful)

      by DavidRawling ( 864446 ) on Wednesday July 22, 2009 @04:33AM (#28779495)

      The thing is, they (Secunia) have a point. Why are Adobe offering the old version, and requiring updates post-installation, for a version that is known to have serious issues.

      Let's face it, people install it because they want to view the PDF file they've just received, or downloaded. They're not going to be conscientious about updates because they just downloaded it and they expect it to be up to date. Let's not forget that plugins have pretty much always worked that way (eg Flash).

      • Re:Huh? (Score:5, Insightful)

        by MichaelSmith ( 789609 ) on Wednesday July 22, 2009 @04:46AM (#28779537) Homepage Journal
        If Adobe didn't want to continually change the released version they could change the installer once to check for new versions.
        • Re: (Score:3, Interesting)

          by bheer ( 633842 )

          Indeed, that is exactly what the IE7 and IE8 installers do. So even if someone burnt an old version of IE7/8 to CD and distributed it with a magazine, anyone installing it with a net connection would automatically get updates.

      • Why are Adobe offering the old versions?

        Absolutely! I'm not html guru but surely it shouldn't take a company with Adobe's technical knowhow to update an "a href" tag . . . in fact, come to think of it, I would do it myself for a small fee . . .

        • What technical expertise? Adobe apparently has none.

          Kinda like the place I work (government).

        • They might be taking the lazy way out and instead of providing a new full package and updates for the older package, they are just providing the updates and expecting new users to download the patches right away. This is more work than just redirecting the link, as they would actually need to build the entire installer.

    • Re:Huh? (Score:5, Insightful)

      by rysiek ( 1328591 ) on Wednesday July 22, 2009 @04:33AM (#28779497) Homepage
      The problem is not that there is no package manager, automagically updating the packages; the problem is, on Adobe Reader's official download page there is an outdated version featured. So everybody that get's directed to that page through google search or whatever, dowanloads and installs an unpatched, vulnerable and exploitable version. Cheers
      • And then when a patch for Adobe does come out, as an Admin of 600 PC's I have to use Adobe's somewhat broken Update mechanism inside reader to update it. They don't release an MSP patch for SUS/Zenworks deployment until weeks later.

        They do need to fix this. Also, how often do you install a piece of software only to end up with Adobe reader 3.01, or 5 installed with it even though you have 9.1.2? That is an issue to.

        Sun Java needs to fix their broken updater too. Check out http://secunia.com/advisorie [secunia.com]

    • Re:Huh? (Score:5, Interesting)

      by bheer ( 633842 ) <rbheerNO@SPAMgmail.com> on Wednesday July 22, 2009 @04:48AM (#28779547)

      Indeed. And given that Windows Update already exists, and given that Microsoft is antitrust-law bound to allow everyone equal access to Windows, why not open up Windows Update to allow it to update all your apps? Microsoft Update (an extension to Windows Update) already updates things like Office, .net, silverlight, etc. So why not publish a white paper on how to get your app included in Windows Update in a fair, non-discriminatory manner?

      (Alternatively, folk could band around the open-source GoogleUpdate backend. These days it doesn't even run all the time [blogspot.com].)

      I for one would love to see the end of lots of different *update.exe apps running on the average user's computer.

      • Re: (Score:3, Interesting)

        by jonwil ( 467024 )

        I have the following updaters running on my system:
        Miranda IM (built into the program and just opens the URL to the new full-installer in the default browser)
        AVG (built into the resident parts of the program)
        Acrobat Reader Updater
        Sun Java Updater
        Microsoft Update (set to not download automatically since I prefer to have choice in which updates I install)
        various games (most of which check for updates when I connect to the online bit)

        Conversely, there are programs I wish DID have automatic updaters:
        SeaMonkey (

        • Yes, each application having it's own updater code. That's a brilliant idea! Much more memory and CPU time used, many more places for exploits to happen since each one of them has different network code... the fun is endless!
      • by mlts ( 1038732 ) *

        Maybe Microsoft could have this as part of the Windows Logo requirement. This could be implemented in two ways:

        The first is actively hosting all updates. The problem with this is that it would require very large amounts of bandwidth, so there would have to be a revenue stream to Microsoft for them to be able to do this and remain profitable.

        The second is having a pointer to the vendor's download URLs for a file. This is a lot easier, but still requires some added infrastructure and bandwidth. However, t

        • ... having a pointer to the vendor's download URLs for a file. This is a lot easier, but still requires some added infrastructure and bandwidth. However, third party utilities like Secunia's PSI are able to hunt down and point out outdated/insecure versions, so it wouldn't be too onerous for a central switchboard for application vendors to have one place for update checking. ...

          Not a bad idea. But perhaps the infrastructure already exists. It seems like much of this could be a TXT record in a DNS file. Microsoft would only have to host the "root" server for windows software update info. Why create a new infrastructure/protocol when a perfectly good one exists?

          Now before you all go and beat up on the idea, I am sure there would be some decisions that would need to be made. For example, does the TXT record actually go in the current zone file, or is this a separate system just usin

      • (Alternatively, folk could band around the open-source GoogleUpdate backend. These days it doesn't even run all the time.)

        I didn't know this had been opened up. Thanks for the pointer :)

    • by jonwil ( 467024 )

      Even if Windows DID have a proper package manager (from Microsoft or anyone else), many companies would not want to use it since it takes away control over certain things. For example, Norton checks your serial number and details against the database of valid licenses before it will download any updates (so pirates cant crack it to get it to pull virus updates that they havent paid for) The updater for Apple products always tries to convince you to install the products you dont have (if all you have is Quic

      • Certificates. When a user purchases software, issue them a certificate that is added to the package manager along with the repository location and its signing key. Configure your repository server to not issue updates if the user's certificate is either revoked, expired or invalid. Although one thing I believe probably should have its own updater would be antivirus/antimalware because you may want that on a separate schedule from your usual updates. For example, I may want my applications to update weekly o

    • Re: (Score:3, Interesting)

      by Spit ( 23158 )

      All they can? Are you fucking serious? How about not coding such shitty software in the first place, for starters.

      • Easier said than done. You're not in OSS land here, you're not dealing with a program designed, envisioned and projected by programmers. You have a beancounter and a manager who want that program on the street before their quarter report is due.

        It's not that the shipping date is when it's done. It's done when the shipping date rolls over.

    • Ok, i will move my vote over to the totally stupid column.

      Just downloaded the 25.5MB reader.
      Then downloaded the 26.1MB in updates!

      So they appear to have you download one version and then replace it :/

      Having it download the downloader probably doesn't simplify anything for Joe Sixpack either. Trying to download Acrobat Reader gives a warning message about installing something that is not Acrobat Reader...Didn't we try to teach Joe NOT to do that?!?

  • by BikeHelmet ( 1437881 ) on Wednesday July 22, 2009 @04:23AM (#28779467) Journal

    Adobe Reader has always been bad for this - even back when it was called Acrobat Reader.

    Aside from having dozens of different versions installed - whatever version you installed was always out of date, unless you started it up(which took ages), and clicked the Check for Updates button. Then it'd tell you you're out of date. You download an update, it restarts, and then you do it again... and it downloads another update. It installs the update, and restarts, and then you do it a third time to check for another update.

    After all, jumping from 8.1 to 8.1.3 is much too large of an increment. Each version must be applied incrementally, and it's completely illogical to download every required update at the same time.

    Ahh... the fond memories! It takes me right back. Now I remember their artificially slow installers, that did nothing for minutes on end just because of your OS. Such pleasant times!

    • Re: (Score:2, Interesting)

      by bheer ( 633842 )

      That's bothered the heck out of me too! It's almost like Adobe doesn't have a clue about doing proper updates. They should really pay some guys from Mozilla to come and teach 'em. Say what you like about Firefox, it was the first Windows product I've used which devoted a good deal of engineering thought to making updates easy.

      • Say what you like about Firefox, it was the first Windows product I've used which devoted a good deal of engineering thought to making updates easy.

        Not enough, apparently.

        Where I work, they are about to remove the 'fox from all systems because updates make it the default browser, even if it wasn't the previous default. There is currently no way to prevent that from happening.

        Not exactly enterprise-friendly behavior...

        • If your IT department can't even use Google [frontmotion.com], maybe it's time to start looking for a new job...
          • I know self-reply is bad form, but further Googling shows that the latest version of Firefox is set correctly [frontmotion.com]. It wasn't enterprise-friendly behavior, but then, nor was Microsoft's. At least Firefox's behavior was more than likely inadvertent, simply not being nearly as large a company as Microsoft as well as targeting multiple platforms. Microsoft changes your browser when you update, invisibly. That's more enterprise-unfriendly than anything Firefox has done.
          • They know about front-motion, but it's not approved at higher levels. Welcome to Dilbert world...
      • They seem to have had Windows developers in to teach them about writing secure software.
      • by colfer ( 619105 )
        Firefox 3.0.12 updates to 3.5, when you ask for updates. Then if you ask again, you get 3.5.1, to fix the critical security bug in JIT.
  • by mr_stark ( 242856 ) <`tim' `at' `trgray.co.uk'> on Wednesday July 22, 2009 @04:56AM (#28779573)

    Dont use Acrobat... There are several alternatives available all less bloated:

    GPL'd PDF reader: http://blog.kowalczyk.info/software/sumatrapdf/index.html [kowalczyk.info]

    Commercial: http://www.foxitsoftware.com/pdf/reader/ [foxitsoftware.com]

    • by bheer ( 633842 ) <rbheerNO@SPAMgmail.com> on Wednesday July 22, 2009 @05:23AM (#28779655)

      Unfortunately, it isn't that simple. Many of the alternatives lack key features that make it difficult for many users.

      IIRC there are some kinds of PDF Forms [foxitsoftware.com] which still cause problems in Foxit Reader. Also, because Foxit doesn't have CoolType and Adobe does, PS/OpenType fonts which are not specifically hinted for the screen (and are used by many design shops) look *much* better on Adobe reader than Foxit, making it invaluable for pre-publishing previews.

      Also, specifically for Foxit -- it has its own share of vulnerabilities.

      • [quote]IIRC there are some kinds of PDF Forms which still cause problems in Foxit Reader.[/quote]

        The support in the thread claim that it's been mostly fixed, and that is as of two to three months ago.

        [quote]Also, because Foxit doesn't have CoolType and Adobe does, PS/OpenType fonts which are not specifically hinted for the screen (and are used by many design shops) look *much* better on Adobe reader than Foxit, making it invaluable for pre-publishing previews.[/quote]

        It's a valid point for some users. But

  • Google docs (Score:3, Interesting)

    by beadwindow ( 1578749 ) on Wednesday July 22, 2009 @06:10AM (#28779803)
    google docs opens pdf's
  • by dtjohnson ( 102237 ) on Wednesday July 22, 2009 @06:29AM (#28779887)

    Adobe began using javascript in their reader beginning with v7 and that has opened up this whole new world of security issues. Wouldn't it be better if the 'reader' just rendered a static file and didn't run embedded script?

    • But ... but all those nifty features, like filling out forms and such! How did we ever survive without them?

      It's like saying "Why do we need Aero?" We don't. Few people do at all. But, hell, how do you plan to sell a new version if your markedroids can essentially only say "Well... it has rounded corners now"?

    • Not always. Look at, say, any good postscript viewer. Like ghostview or Okular, or any good printer. You can't read a .PS file without running it.
    • The irony being that PDF is a Turing- in complete variation of the (Turiong-complete) PostScript language. So what does Adobe do?
      "Hey guys, lets embed a *completely different* Turing-complete language in our document specification!"

  • If they make a really secure program, who is going to replace the FSA (Russia) and NSA (USA) subsidy payments?
  • In my opinion, the purpose of a PDF reader is to ... wait for it ... *read* a PDF file, not run Java or any other sort of scripting. If a publisher wants to create an interactive program, *there are programming languages for that!* If Acrobat Reader was made to specifically prevent a document from doing anything except *being passively read*, we wouldn't have half these problems.

    The Swiss Army Knife approach only works for Switzerland's military elite, not software companies!

  • If I had so many vulnerabilities I would feel insecure too.
  • Comment removed based on user account deletion
  • Don't use Acrobat! (Score:2, Informative)

    by crhylove ( 205956 )

    Acrobat is like a giant virus on every machine I've run it on.

    SumatraPDF is much, much faster and better.

    Besides Adobe is a Fox news sponsor. Don't give them your money or your ram!!!

    http://portableapps.com/de/apps/office/sumatra_pdf_portable [portableapps.com]

  • So, it seems that I'm not alone in finding it incredibly frustrating and back-to-front that Adobe don't offer the latest versions of any of their software for download, especially Acrobat and Reader.

    You need to download the main installer, which will generally be X.0.0 of the software, and then there are a whole heap of updates.

    Downloading these extra updates, when Adobe could simply update the version of the main installer, is a vast waste of bandwidth and a monumental waste of time.

    I hope this prompts Ado

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...