November 17, 2010

Adobe on Tuesday issued a critical update to patch at least two security holes in its PDF Reader and Acrobat software, including one flaw that was publicly disclosed earlier this month.

Updates are available for Windows, Mac and UNIX versions of Reader and Acrobat. The newest version is v. 9.4.1. If you use either of these products, take a moment to update them by clicking “Help,” then “Check for Updates.” Direct links to the new versions also are available in the Adobe advisory for this update. Note that this is not the sandboxed version (Adobe Reader X, or v 10.0) which is expected to be released at the end of this month.

Separately, the company is warning users not to fall for recent phishing and other e-mail scams targeted at Adobe customers looking for the Adobe Acrobat X, a new product being released this week. “Many of these emails require recipients to register and/or provide personal information. Please be aware that these emails have not been sent by Adobe or on Adobe’s behalf,” Adobe said.


19 thoughts on “Critical Updates for Adobe Reader, Acrobat

  1. Ron Blackwell

    Thanks for the notice, Brian. Normally, the Adobe updater icon appears in my system tray when updates are ready, but for some reason it didn’t this time.

    1. Peter

      This patch was announced 3 weeks ago. The reason to *(%(&^%)(&*_(&* about Adobe is it took 2 weeks after a zero day exploit was discolsed to released the Flash patch for it and 3 weeks for the Acrobat/Reader patch.

  2. Hank Holt

    Hi Brian,

    Here a couple of links to the Adobe Secure Software Engineering Team Blog entries concerning sandboxing in Adobe Acrobat X:

    http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-part-1-design.html
    http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-%E2%80%93-part-2-%E2%80%93-the-sandbox-process.html

    Excerpt from “Inside Adobe Reader Protected Mode-Part 1- Design”

    “Limitations

    The sandbox’s reliance on the operating system means that it could potentially be subject to its flaws. Like the Google Chrome sandbox, the Adobe Reader Protected Mode sandbox leverages the Windows security model and the operating system security it provides. This intrinsic dependency means the sandbox cannot protect against weakness or bugs in the operating system itself. However, it can limit the severity of such flaws when code executes inside the sandbox, since the sandbox blocks many common attack vectors.

    Our first version of sandboxing is not designed to protect against:

    Unauthorized read access to the file system or registry. We plan to address this in a future release.

    Network access. We are investigating ways to restrict network access in the future.

    Reading and writing to the Clipboard

    Insecure operating system configuration”

  3. Joe

    You could also #$@#$ about the fact that the Unix updates aren’t actually available now (and aren’t scheduled to be so for two weeks).

    Or about the moronic update process that requires a reboot on Windows if updated from within the application (vs. downloading an installer).

    Or the fact that Adobe tries really hard to force you to use their stupid download manager (which itself has had security issues in the last).

    Really, you will probably run out of @#$@#$ before you run out of reasons to #@$@#$ Adobe.

  4. Phoenix

    Foxit reader is out there and I notice the current version takes advantage of DEP and ASLR.

    1. Alvaro

      Yey, i been user Foxit for years now and have never been worried about the tons of problems of adobe acrobat vulnerabilities. But the flash its another deal, Browser’s SandBoxing seems to be the better solution.

  5. Rich Gibbs

    As Joe said, the Unix/Linux updates are not yet available. From Adobe’s Security Bulletin [APSB 10-28]:

    “An update for Adobe Reader users on UNIX is expected to be available on November 30, 2010.”

    I don’t actually use Adobe Reader for much — certainly not for routine looking at PDF documents, since xpdf is enormously faster, and does not include so many mis-features. For some things, though, like the IRS’s fill-in-the-form PDFs, Reader is still (unfortunately) a practical requirement, at least some of the time.

    I also agree with Joe’s comment about the need to reboot Windows after installing, although the adjective I used when I saw it was a bit stronger than “moronic”.

  6. Russ

    If you open the PDF through Google’s doc viewer can your client still be affected by related exploits? It’s not elegant and for many people not practical, but it might be a way to view PDFs without needing any local PDF software at all.

    1. timeless

      Google’s PDF thing converts pdf’s into web content, so unless the browser suffers from some *other* flaw(s), or Google’s PDF converter accidentally serves you the PDF anyway, you’d indeed be safe.

  7. Nogero

    I would like to hear a little about how enterprise administrators keep track of and roll out the many, many updates coming from Microsoft and more so Adobe. PDF use is dominating the scene but so are exploits.

  8. Jim

    OK, had to download the full Adobe as the update would not install. Now my machine is running slow and I get a fatal error splash when I attempt to open the reader. Adobe should go into the malware business.

  9. Hank Holt

    When I installed the Reader update in Vista x64 it caused an error with DCOM and Windows Search. Did the same thing when I uninstalled Reader completely.

    I have Adobe CS4 installed which includes Acrobat therefore I don’t need Reader. The PDF plugins in both Firefox and IE8 still work without it.

    Keep in mind that the underlying flaw in Reader is how it handles Flash content, which in my opinion it shouldn’t be doing anyway.

    Frankly, Adobe has one of the worst update mechanisms I’ve seen. With Flash CS4, I have to find the Flash Player instances within the authoring app and update them manually by renaming files. It is a PITA and Adobe’s instructions are not clear at all.

    While I’m no fan of Steve Jobs, I certainly agree with his stance on Flash and Java. I think my little world would definitely be a better place without both of them.

  10. Jim

    Uninstalled Adobe Reader in hopes of a new clean install. However, I get the Access Denied get permission from SYSTEM notice. I hate when this happens. I’m the admin and only user of my machine. I AM the SYSTEM. Uninstalled all the Reader Reg entires. I’m still locked out for deleting remaining Reader files.

  11. nola

    Hi Brian,
    Thanks a lot for your e-mails they have helped me a lot. kind regards

  12. Gary

    I wrote “*!!(*$&#$ !!! Again?” because Brian reported that Adobe had issued patches for Acrobat on 19 August and 5 October. I felt that three patches in three months for a single veteran program merited my remark.

  13. Alan

    Adobe Reader X is now (Nov 18, evening) available for download so 9.4.1 is already obsolete.

  14. Phoenix

    Adobe reader X is allegedly sandboxed (they’re certainly quiet about it.). This might account for some of the difficulties updating.

Comments are closed.