10:34 CET, 21st July 2009 By Mikkel Winther.
There has recently existed some confusion amongst the users of the Secunia PSI as they are puzzled as to why the latest downloaded Adobe Reader version from Adobe.com is reported as insecure by Secunia PSI.
Is it a false positive? Due to the detection method (looking at the actual files available on the hard-drive of a PC) used in the Secunia PSI false positives are very unlikely.
A mistake in the Secunia PSI? Perhaps, but we are happy to learn that the Secunia PSI is correct, but surprised to discover that Adobe ships insecure software to their users!
The installation of Adobe Reader usually happens like this:
1) The user receives a PDF file (usually considered a "safe" file format), only to discover that there is no PDF reader on the PC.
2) The user visits Adobe.com to download the latest version of Adobe Reader from the official download site. When the installation is complete, the user has version 9.1.0 installed – both as a stand-alone program and as a browser plugin - which is known to be affected by numerous code execution vulnerabilities.
3) If the user opens a malicious PDF, the damage is done and the system could easily be compromised!
In Adobe's defence: They do also automatically install the "Adobe Updater" on your PC when you install Adobe Reader, which eventually checks for updates for your new Adobe Reader installation. Hereafter, "Adobe Updater" dutifully notifies you about the fact that available updates are present, which of course, you need to click, agree to download, and wait for the installation to finish – all before you open that PDF file, which was the whole reason you installed Adobe Reader in the first place...
...remember: The criminals only need one unpatched program to compromise your machine!
Vulnerabilities and Timeline
On 1st of May 2009, version 9.1.1 of Adobe Reader was announced and according to Adobe fixed at least one critical vulnerability. However, despite this announcement Adobe continued to serve version 9.1.0 on Adobe.com.
In the meantime, on 10th of June, another 9 critical vulnerabilities (SA34580) were fixed by Adobe in their very popular PDF viewer.
Yet, as of today, Adobe still serves version 9.1.0 on their official download location at Adobe.com, leaving the user with the task of understanding that their PC has been rendered vulnerable to attacks (from opening an innocent looking PDF attachment to surf-by-attacks when browsing websites).
What Should You Do?
If you recently installed Adobe Reader, we strongly recommend that you either open Adobe Reader 9.x and go to the "Help" -> "About Adobe Reader 9" and verify that your installation is indeed version 9.1.2 (the latest patched version as of this writing).
Alternatively, we invite you to download and install our completely free Secunia PSI, which is the only tool that can help you determine which programs are on your PC and assess which of these are missing critical security updates that could lead to a compromise of your PC.
Remember that patching is more important than having an Anti-Virus program and a personal firewall.