Adobe Offers Unpatched Version of Reader - But Don't Panic

Adobe has talked a lot about security lately. A few months ago, the company announced it was changing its patching and development process. Now, officials at Secunia are reporting that the version of Adobe Reader available for download on Adobe's Website is both old and riddled with vulnerabilities.

According to Secunia, the version on the site is Reader 9.1, which has at least 14 security vulnerabilities that have been patched by the company in the past two months. The issue was discovered when users of Secunia's Personal Software Inspector (PSI) reported that the tool kept flagging the version of Reader they were running as vulnerable even though they had just downloaded it from Adobe.

Now in Adobe's defense, version 9.1 for Windows is the most recent full installer of the product, and versions 9.1.1 and 9.1.2 for Windows are only patches that require version 9.1 to be present.

"This is the reason users are offered Adobe Reader 9.1 via the "Get Adobe Reader" page on Adobe.com," an Adobe spokesperson said. "Once Adobe Reader 9.1 is installed, the Adobe Updater technology will subsequently offer the Adobe Reader 9.1.1 and 9.1.2 patches. Adobe Updater will check for updates immediately on first launch. Thereafter, Adobe Updater checks for updates every seven days from that first launch."

Alternately, users can manually apply the patches through the Product updates section of the site or click on "Help > Check for Updates" to make sure their product is up-to-date.

Given Adobe's explanation, Secunia's advisory may seem like something of a false alarm given that users cannot run the patched versions without installing the original edition. But Secunia's overall point - that users need to pay attention to whether or not their programs are patched - is absolutely true.

"PC users need to patch! They need to patch all their vulnerable programs and they need to do so as fast as possible after the patch has been issued from the vendor," Mikkel Winther, PSI Partner Manager, said in a statement. "Failing to do so is playing Russian Roulette with your IT security - it is only a question of time - and luck - when your system will be compromised."

Posted by Brian Prince on July 20, 2009 9:48 PM

View all of Enterprise security strategy, Patches, Vulnerability Research

TrackBack

http://securitywatch.eweek.com/cgi-bin/mte/mt-tb.cgi/17482

Comments (3)

David :

Why doesn't adobe simply slipstream the patches into their 9.1 version to create a fully patched 9.1.2 installable download? That would take them all of 20 minutes to process.

Posted by David | July 21, 2009 9:39 AM

John Ohannessian :

I wrote Adobe tech support many weeks ago about why they do not offer a fully fixed Reader download, instead of the current poor, time-wasting, illogical way of downloading an old and vulnerable version and then forcing us to waste our time of updating this lousy version to secure it.
Adobe never contacted me, and closed my inquiry without replying to me.
A very unacceptable and poor way of doing business.
Shame on Adobe.

Posted by John Ohannessian | July 21, 2009 10:09 AM

Leonard Rosenthol :

The main reason that we don't roll "double dot patches" into a new installer is that to do would increase the amount of testing necessary to deliver a patch and thus take longer for you (the user!) to get the needed fixes in the field.

Our standard policy is to do installers only on major and "single dot" releases - which we are now doing on a quarterly basis. So when we release the next quarterly release, it will have a full installer.

I will also point out that NO company updates their full installers on "double dots" - Apple, Google, Microsoft, etc. It's simply too much work for not enough gain.

Leonard Rosenthol
Adobe Systems

Posted by Leonard Rosenthol | July 21, 2009 11:37 AM