Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Adobe tries to explain Acrobat patch woe

While accuser Secunia stick to its guns.

Article comments

Adobe has played down the charge that it has been serving users an insecure version of its Acrobat PDF Reader, claiming that the software is automatically updated after installation.

Danish security research company Secunia had earlier posted a blog questioning why Adobe was still allowing users to download the 9.1.0 version of Acrobat from its website, despite the fact that this has a clutch of known security holes supposedly fixed many weeks ago by subsequent 9.1.1 and 9.1.2 patches.

Adobe's point - accepted by Secunia - is that these patches cannot be applied unless 9.1.0 is already present on the system, which brings the matter down to a single issue: after installing the insecure version, how long does the software take to apply the subsequent fixes?

In a statement sent to Techworld, Adobe was confident that this process would happen immediately.

"Once Adobe Reader 9.1.0 is installed, the Adobe Updater technology will subsequently offer the Adobe Reader 9.1.1 and 9.1.2 patches. Adobe Updater will check for updates immediately on first launch. Thereafter, Adobe Updater checks for updates every seven days from that first launch," read the statement.

A further clarification sent to Techworld by Secunia, agrees with this general chain of events, but places a different emphasis on the nature of the updating process.

"It is not our experience that the update will happen immediately. We have conducted several "tests" and did not arrive at that conclusion," said Secunia spokesman, Mikkel Løcke Winther. "Meanwhile the user is open to attacks, using known software vulnerabilities in Adobe reader, for which there are available patches from vendor."

According to Secunia, the time taken to download and install updates is critical. The company used the example of a user installing Acrobat for the first time after receiving a PDF file that he or she could not open. If the update is delayed, the file - which could be a rogue PDF designed to exploit a security hole - would have an exploit window on the unpatched machine.

An informal test by Techworld appears to bear out Secunia's claim the current Acrobat 9.1.0 installs without immediately updating to the patched versions. Interestingly, installing Acrobat over a version already patched with 9.1.1 results in the installer updating the user to the patched 9.1.2 version.

Users wanting to get the latest version can manually update the vulnerable version or locate versions 9.1.1 or 9.1.2 at Adobe's website, the company said.

Gauging the significance of this minor glitch depends on how seriously the user takes the vulnerabilities that required 9.1.0 to be updated in the first place. Secunia points out that ten of these were rated as ‘critical, so it looks as if Adobe has failed to cover all bases. The risk is small but it is certainly real.

According to Secunia , using its free Personal Software Inspector (PSI) tool with program monitoring turned on, the user would be alerted immediately, and before a bogus PDF could be opened.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *