On TechRepublic: Five super-secret features in Windows 7
BNET Business Network:
BNET
TechRepublic
ZDNet

July 21st, 2009

Adobe ships insecure version of Reader from official site

Posted by Dancho Danchev @ 4:31 am

Categories: Adobe, Anti Virus, Browsers, Flash, Hackers, Patch Watch

Tags: Adobe Systems Inc., Vulnerability, Adobe Acrobat Reader, Web Site Development, Security, Internet, Dancho Danchev

Following reports by users of Secunia’s Personal Software Inspector on a potential false positive for an insecure version of Adobe Reader, the company has found that Adobe is surprisingly shipping the insecure Adobe Reader 9.1.0 version from its official site, potentially exposing users to previously fixed flaws in the latest 9.1.2 version.

Adobe’s comment on the issue:

“Adobe says the the window of vulnerability is small because its updater tries to update Reader immediately and every seven days thereafter, automatically. However, the company acknowledges that the scenario suggested by Secunia — clicking on a malicious PDF without Reader installed — could lead to a compromised system.”

Users are always advised to download software from its official web site in order to obtain the latest version of it, and avoid the potential security implications of downloading from an untrusted third-party web site. This case clearly demonstrates something else.

In particular, how in times when the PDF file type remains among the most commonly used ones in targeted attacks, next to the average Internet user who isn’t patching wrongly relying on antivirus software for protection against the vulnerabilities posed by this practice, an insecure version of the software can in fact be downloaded from its official web site.

Asked to comment on the issue, PSI Partner Manager, Mikkel Winther says that: “PC users need to patch! They need to patch all their vulnerable programs and they need to do so as fast as possible after the patch has been issued from the vendor. Failing to do so is playing Russian Roulette with your IT security – it is only a question of time – and luck – when your system will be compromised.”

Make sure that you’re in fact running the latest Adobe Reader 9.1.2, and keep in mind that cybercriminals aren’t exclusively using a particular vulnerability in an attempt to infect potential victims, they’re using everything there is at their disposal including historical vulnerabilities.

Dancho DanchevDancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.

Email Dancho Danchev

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 29 Talkback(s)
Insecure version on the Mac platform
Not only does Adobe continue to make available only the insecure version of its Reader software, but for the Mac, the updater software does not work properly and will NOT allow the version update to t... (Read the rest)
Posted by: athurman@... Posted on: 07/24/09 You are currently: a Guest | | Terms of Use
Honestly, I've had it with Adobe  gnesterenko | 07/21/09
Fox it is good  wolf_z | 07/21/09
Foxit - good & portable  jxb | 07/21/09
foxit has one flaw.  kevintxu | 07/21/09
If your not Asian...  UAC nanny screen | 07/22/09
PDF xchange viewer  JoeMama_z | 07/21/09
What ads?  NetArch. | 07/21/09
Of course I did....  JoeMama_z | 07/21/09
RE: Adobe ships insecure version of Reader from official site  larry@... | 07/21/09
RE: Adobe ships insecure version of Reader from official site  scharles@... | 07/21/09
Adobe is proving to be a very poor enterprise software partner  ejhonda | 07/21/09
Insecure?!  youzer | 07/21/09
RE: Adobe ships insecure version of Reader from official site  Capt_Sparky | 07/21/09
No big deal! It will Update Itself!  cnfrisch | 07/21/09
They always ship insecure versions....  mrlinux | 07/21/09
RE: Adobe ships insecure version of Reader from official site  support-mg | 07/21/09
Don't you mean unsecure?  Jasonsan10 | 07/21/09
Apparently Adobe's newest Reader has low self-esteem.  drdominee | 07/21/09
Insecure and Unsecure mean the same thing  BrewmanNH | 07/22/09
Insecure - Unsecure  candy21 | 07/21/09
I tried Fox It and it has issues too  Speednet | 07/21/09
"insist"?  KTLA | 07/21/09
Nope  Speednet | 07/22/09
Linux Users wrap your Acroread session in AppArmor  Dietrich T. Schmitz | 07/22/09
Adobe updates are a PITA  bmgoodman | 07/22/09
RE: Adobe ships insecure version of Reader from official site  1noname | 07/22/09
RE: Adobe ships insecure version of Reader from official site  1noname | 07/22/09
130MB install just to read PDF? Thanks adobe.  kraterz | 07/23/09
Insecure version on the Mac platform  athurman@... | 07/24/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here