Secunia CSI7
About us
Careers
Memberships
Newsroom
Contact us
Blog
News
Articles

Adobe Insecure / Unpatched Version From Official Site

Get this blog as an RSS Feed
There has recently existed some confusion amongst the users of the Secunia PSI as they puzzled as to why the latest downloaded Adobe Reader version from Adobe.com is reported as insecure by Secunia PSI. We have looked into this and are happy to learn that the Secunia PSI is correct, but surprised to discover that Adobe ships insecure software to their users!
10:34 CET on the 21st July 2009
Entry written by Mikkel Winther.

There has recently existed some confusion amongst the users of the Secunia PSI as they are puzzled as to why the latest downloaded Adobe Reader version from Adobe.com is reported as insecure by Secunia PSI.

Is it a false positive? Due to the detection method (looking at the actual files available on the hard-drive of a PC) used in the Secunia PSI false positives are very unlikely.

A mistake in the Secunia PSI? Perhaps, but we are happy to learn that the Secunia PSI is correct, but surprised to discover that Adobe ships insecure software to their users!

The installation of Adobe Reader usually happens like this:

1) The user receives a PDF file (usually considered a "safe" file format), only to discover that there is no PDF reader on the PC.
2) The user visits Adobe.com to download the latest version of Adobe Reader from the official download site. When the installation is complete, the user has version 9.1.0 installed – both as a stand-alone program and as a browser plugin - which is known to be affected by numerous code execution vulnerabilities.
3) If the user opens a malicious PDF, the damage is done and the system could easily be compromised!

In Adobe's defence: They do also automatically install the "Adobe Updater" on your PC when you install Adobe Reader, which eventually checks for updates for your new Adobe Reader installation. Hereafter, "Adobe Updater" dutifully notifies you about the fact that available updates are present, which of course, you need to click, agree to download, and wait for the installation to finish – all before you open that PDF file, which was the whole reason you installed Adobe Reader in the first place...

...remember: The criminals only need one unpatched program to compromise your machine!

Vulnerabilities and Timeline
On 1st of May 2009, version 9.1.1 of Adobe Reader was announced and according to Adobe fixed at least one critical vulnerability. However, despite this announcement Adobe continued to serve version 9.1.0 on Adobe.com.

In the meantime, on 10th of June, another 9 critical vulnerabilities (SA34580) were fixed by Adobe in their very popular PDF viewer.

Yet, as of today, Adobe still serves version 9.1.0 on their official download location at Adobe.com, leaving the user with the task of understanding that their PC has been rendered vulnerable to attacks (from opening an innocent looking PDF attachment to surf-by-attacks when browsing websites).

What Should You Do?
If you recently installed Adobe Reader, we strongly recommend that you either open Adobe Reader 9.x and go to the "Help" -> "About Adobe Reader 9" and verify that your installation is indeed version 9.1.2 (the latest patched version as of this writing).

Alternatively, we invite you to download and install our completely free Secunia PSI, which is the only tool that can help you determine which programs are on your PC and assess which of these are missing critical security updates that could lead to a compromise of your PC.

Remember that patching is more important than having an Anti-Virus program and a personal firewall.

Stay Secure

Mikkel Winther

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Adobe Insecure / Unpatched Version From Official Site
 
No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability