Adobe tries to explain Acrobat patch woe
While accuser Secunia stick to its guns.
By John Dunn | Techworld | Published: 14:54, 21 July 2009
Adobe has played down the charge that it has been serving users an insecure version of its Acrobat PDF Reader, claiming that the software is automatically updated after installation.
Danish security research company Secunia had earlier posted a blog questioning why Adobe was still allowing users to download the 9.1.0 version of Acrobat from its website, despite the fact that this has a clutch of known security holes supposedly fixed many weeks ago by subsequent 9.1.1 and 9.1.2 patches.
Adobe's point - accepted by Secunia - is that these patches cannot be applied unless 9.1.0 is already present on the system, which brings the matter down to a single issue: after installing the insecure version, how long does the software take to apply the subsequent fixes?
In a statement sent to Techworld, Adobe was confident that this process would happen immediately.
"Once Adobe Reader 9.1.0 is installed, the Adobe Updater technology will subsequently offer the Adobe Reader 9.1.1 and 9.1.2 patches. Adobe Updater will check for updates immediately on first launch. Thereafter, Adobe Updater checks for updates every seven days from that first launch," read the statement.
A further clarification sent to Techworld by Secunia, agrees with this general chain of events, but places a different emphasis on the nature of the updating process.
"It is not our experience that the update will happen immediately. We have conducted several "tests" and did not arrive at that conclusion," said Secunia spokesman, Mikkel Løcke Winther. "Meanwhile the user is open to attacks, using known software vulnerabilities in Adobe reader, for which there are available patches from vendor."
According to Secunia, the time taken to download and install updates is critical. The company used the example of a user installing Acrobat for the first time after receiving a PDF file that he or she could not open. If the update is delayed, the file - which could be a rogue PDF designed to exploit a security hole - would have an exploit window on the unpatched machine.
An informal test by Techworld appears to bear out Secunia's claim the current Acrobat 9.1.0 installs without immediately updating to the patched versions. Interestingly, installing Acrobat over a version already patched with 9.1.1 results in the installer updating the user to the patched 9.1.2 version.
Gauging the significance of this minor glitch depends on how seriously the user takes the vulnerabilities that required 9.1.0 to be updated in the first place. Secunia points out that ten of these were rated as ‘critical, so it looks as if Adobe has failed to cover all bases. The risk is small but it is certainly real.
According to Secunia , using its free Personal Software Inspector (PSI) tool with program monitoring turned on, the user would be alerted immediately, and before a bogus PDF could be opened.