October 5, 2010

A new security update from Adobe plugs at least 23 security holes in its PDF Reader and Acrobat software, including two vulnerabilities that attackers are actively exploiting to break into computers.

Adobe is urging Reader and Acrobat users of versions 9.3.4 and earlier for Windows, Mac and UNIX systems to upgrade to version 9.4 (Adobe says those who can’t upgrade to the 9.x version should instead apply the version 8.2.5 update).

Adobe says one of the 23 flaws fixed by this new version is being actively exploited. A second zero-day flaw corrected by today’s update — a critical vulnerability in Adobe Flash player that the company fixed in a separate update last month for the stand-alone Flash player — also exists in Adobe Acrobat and Reader, although Adobe says it is not aware of any attacks exploiting this flaw in those products yet.

Several readers have asked about a security feature Adobe has promised will be in future versions of Reader and Acrobat, a sandboxing technology designed to block the exploitation of previously unidentified security holes in its software. Adobe says that capability will be included in the next major release of these software titles, which is due out before the end of the year. Adobe’s Brad Arkin has more about this upcoming feature, in a blog post published today.

Now that Adobe has moved to a quarterly patch cycle, this new major version is unlikely to coincide with the next security update which isn’t planned until Feb. 8, 2011. However, at the rate Adobe is releasing security updates (it has issued emergency updates twice in the past year for Reader and Acrobat, and more often for Flash and other software), I doubt it will be that long before we see another critical Reader patch.

It may well emerge that Adobe’s sandboxed version turns out to be more secure than other PDF readers, but I long ago stopped messing with Reader, and switched to Foxit. But there are other options, including Nitro PDF Reader and Sumatra.

If you use Adobe Reader or Acrobat, please take a moment to update this software. The current version of Reader is available here, and other products and versions are available from this page.


30 thoughts on “Reader, Acrobat Patches Plug 23 Security Holes

    1. hhhobbit

      John C. Welch: Reader does not really need sandboxing on Macs, Linux, and Unix. You are already inherently sandboxed by the MAC (Mandatory Access Control – folder and file permission flags) of the system as long as you run Reader only as a normal user. Never run Adobe Reader as the root user. If you do that you are effectively sandboxed unless there is a privilege escalation error security hole. Also make sure you turn off JavaScript until you need it.

  1. JackRussell

    Sigh. This is getting really old.

    I tried using Foxit once, and it kept hanging on me when loading large documents. I would have to use the task manager to kill it, and then try and reload. After a few times going through this nonsense, I went back to Adobe.

    1. d

      Give PDF-XChange Viewer a try. I was quite satisfied with it. The company has a couple of different versions, ranging from the free viewer to highly professional.

  2. Emet

    Convert .PDF files and view on-line:

    http://view.samurajdata.se/

    this url above performs better than Adobe’s on-line conversion utility, for free. Or offline, use programs like pdftohtml to convert and read. For Windows, offline, use a convert utility, do not load into Windows PDF readers to view. Stay thirsty my friends.

  3. JBV

    As always, don’t forget to uncheck the add-ons box or you will get some nasty toolbar that you don’t want or need. And, as always, you get a shortcut on your desktop, whether you want it or not. Ech!

  4. Jacqueline Sullivan

    When I try to open a pdf a pop-up says Acrobat 5 is incompatible. I thought Reader opened my pdf’s. Still, I uninstalled Acrobat 5 but the pop up still appears and Reader won’t open pdf’s.
    I have Reader 9 3.4 installed. Each time I try to update to Reader 9.4 it says this file may harm your computer. Do you know how can I safely get Reader updated and be able to read my pdf’s again?
    I would really appreciate help with this.
    Thanks

    1. JCitizen

      For my clients that actually use Adobe’s Reader, I install File Hippo’s update checker on their PC. This does a simple job getting the updates. And they are the right ones every time in my experience.

      Personally I use Foxit. File Hippo always releases a link to the update for it, long before a vulnerability is found for that particular version. FH works for most popular applications – Secunia PSI is even more thorough.

    2. 67GTV

      Jacqueline, you need to reset the Windows setting for opening PDF files with Adobe Reader. Windows sometimes ‘forgets’ what application opens certain files.

      I find the easiest way to adjust this setting in Windows 7 is to right-click on a PDF file and choose “Open with…”. Select “Adobe Reader 9.3” and make sure the “Always use the selected program to open this kind of file” option is checked, then click “OK”.

      Similarly, in Windows XP, right-click on a PDF file and choose “Open with…” then select “Choose Program…”. Select “Adobe Reader 9.3” and make sure the “Always use the selected program to open this kind of file” option is checked, then click “OK”.

      If any of these settings are grayed out, you may need to temporarily promote your user account.

      The “this file may harm your computer” warning is a common prompt when downloading files. Microsoft is trying to get the end user to think before they click. ‘Are you really, really, really sure you want to download this file?’

    3. hhhobbit

      First, Start – Run – type regedit and carefully search for all entries for Acrobat and carefully delete the relevant ones. Also delete your Adobe reader and make sure all of the Acrobat and Reader files left in %ProgramFiles% after everything is uninstalled are gone. If there are Adobe folders for Acrobat or Reader delete them. Make sure you also delete the %ProgramFiles%\Common Files\Adobe folder as well. That should get rid of your message. What says it doesn’t like the new Reader install? If it is Symantec’s NAV it says that about everything as do many other AV programs. If that is the case make sure it was downloaded from Adobe and it it tell NAV to go away and install it anyway. If you still have problems specify which version of Windows you have and somebody else can take over finding what the problems are. But I think this will solve your problems.

      1. 67GTV

        Danger Will Robinson! Danger!

        Don’t mess around with your registry unless you know what you’re doing! And certainly create a backup AND a Restore Point prior!

  5. Brian

    And do not forget to untick java in Preferences, as advised by Brian on other occassions.

    Brian

    1. drzaiusapelord

      I do the following when installing Reader. Uncheck Javascript. Uncheck “Allow PDFs to open external applications” under Trust Manager. Under Updater I check “Automatically install updates.” Why these arent the defaults is beyond me, but I find this adds a slight level of protection and generally it downloads and installs current updates the same day they are released.

  6. Henry Winokur

    I think a more important issue for Adobe is why their Flash updater doesn’t remove the OLD versions of their software. It I have clients who simply don’t understand how to do it, and then Secunia runs and tells them they’re still running the OLD version.

    Can you tell Adobe to make life easier, Brian? I mean how difficult is it???

    1. jerry

      I thought the Flash updater since version 10 anyway uninstalls previous versions during the install of the latest. It has for me, unless I have older versions around and I’m unaware of it. When I check the add/remove programs, only the latest is shown.

  7. Jim

    Brian, thanks for always being alert for the computer community.

    Seems the only time I’m aware of an Adobe security update is via Brian. Adobe’s primary concern is to deliver the useless toolbar.

  8. Brad

    Gnome’s Evince document reader also runs on Windows, and a convenient MSI installer is available:
    http://live.gnome.org/Evince/Downloads

    I run Evince instead of Reader wherever possible. It has (very likely, at 30mb installer size) the smallest footprint and all of the most commonly used features in Reader.

    1. hhhobbit

      Brad: evince is also the default viewer for Linux. I couldn’t get it to open an AES-256 bit encrypted file and suspect it probably doesn’t open any encrypted pdf file. It also doesn’t have a forms filling capability (at least 2.30.* does not have that capability). So if you need to fill in a pdf forms file you will have to use Adobe. I don’t think Mac’s Document Previewer has the ability to fill in a pdf forms file either.

  9. PaulJ

    The Reader 9.4 update “installs the Flash Player 10.1.82.76 update” according to the release notes.

    The latest version of Flash is 10.1.85.3, which was released at the end of September.

    Color me confused, but aren’t we still vulnerable? Or did someone not proof-read the release notes?

    1. JCitizen

      It is typical to install the updates only to find you are still vulnerable. However, sometimes the new vulnerability is less a threat than the previous one.

      Secunia PSI uses a threat analysis color band to give instant feedback on the relative threat profile of a given vulnerability.

      I sometimes simply uninstall the software and wait a few days or weeks for another update.

    1. PaulJ

      @emv, because no one in their right mind would download and install AIR otherwise?

    2. axial

      Adobe AIR is used for the help system of several Adobe products. Perhaps the installer is intelligent enough to know whether you have a preexisting AIR install that needs to be updated.

  10. CloudLiam

    I’ve installed the update on three computers so far, two through the updater and one manually, no AIR.

  11. Bart

    Having recently converted from Windows to Mac, I am confused about whether my new iMac uses the Adobe reader. Viewing PDFs seems to be through the Preview function, but I can’t tell whether Adobe is there behind the curtain. Under Utilities, I only see Adobe Flash.

    Can anyone help me on this?

    1. PaulJ

      @Bart the Mac has no need for Adobe Reader, the built-in Preview.app does a fabulous job with PDFs.

      I imagine there are a few javascript-rich documents (tax forms, maybe?) that need the full Reader, but in 3 years of Adobe-free Mac OS X use, I have yet to encounter a document that Preview couldn’t manage.

  12. Bart

    Thanks, Paul. I had been reading about the Foxit beta for Macs but it looks like it is not necessary.

  13. Emet's wife

    Emet’s valuable post was buried, so here’s the url again:

    http://view.samurajdata.se/

    And it is better than Adobe’s online conversion utility, Emet had more to say, scroll up to his post and read it.

    Let this be a lesson for you corporate shills burying mesages which don’t all but worship your company and suggest better alternatives: WE WILL NOT BE SILENCED! Thumb it down and it will appear again, and again, and again, until you understand what FREEDOM is all about!

Comments are closed.