Adobe today issued more than a dozen security updates for its Acrobat and PDF Reader programs, including a feature update that will install future Reader security updates automatically. In addition, Adobe has shipped yet another version of its Flash Player software to fix a critical security flaw.
No doubt some will quibble with Adobe’s move toward auto-updating Reader: There is always a contingent in the user community who fear automatic updates will at some point force a faulty patch. But for better or worse, Adobe’s Reader software is the PDF reader software of choice for a majority of Windows computers in use today. Faced with incessant malware attacks against outdated versions of these programs, it seems irresponsible for Adobe to do anything other than offer auto-update capability to to Reader users more aggressively.
Adobe debuted this feature in April 2010, but at that the time Adobe decided to continue to honor whatever update option users had selected (the default has always been “download all updates automatically and notify me when they are ready to be installed”). With this latest update, Adobe will again prompt users to approve an auto-update choice, except this time the option pre-selected will be “Install Updates Automatically.”
I have long urged mere mortals (non-system administrators) to switch to a PDF reader that is less bulky and less targeted by cyber crooks and malware writers, such as Foxit, which also includes an auto-update mechanism. This advice is only reinforced when I read advisories like the one that shipped with today’s update, which may be decipherable by some but probably would completely mystify the average user:
“Adobe recommends users of Adobe Reader X (10.0.3) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1). For users of Adobe Reader 9.4.4 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1), Adobe has made available updates, Adobe Reader 9.4.5 and Adobe Reader 8.3. Adobe recommends users of Adobe Acrobat X (10.0.3) for Windows and Macintosh update to Adobe Acrobat X (10.1). Adobe recommends users of Adobe Acrobat 9.4.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.4.5, and users of Adobe Acrobat 8.2.6 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.3.”
In short, this update fixes at least 13 security holes, including a zero-day vulnerability in Adobe’s Flash player software that the company patched last week (the same flaw is present in Reader and Acrobat). The patch also addresses the three flaws in Adobe Reader X for Windows that were previously fixed in the other supported versions of Adobe Reader and Acrobat. If you use either the Mac or Windows version of Adobe Reader or Acrobat, you should select “Help,” and then “Check for Updates.” If there is an update available, please apply it. Here’s hoping that Adobe’s auto-update feature will be timely (not wait weeks after a new version is available to update the installed product) and that it won’t foist additional software — browser add-ons, toolbars and security scanning tools that often have accompanied previous manual updates.
Adobe also shipped another version of its Flash Player software, the second security update for Flash in less than a week (last week Adobe pushed out an emergency update to fix a flaw that attackers were already exploiting). Adobe said it identified a critical flaw in Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.23 and earlier versions for Android. Adobe urges users of Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 10.3.181.26, available now. Adobe expects to make available an update for Adobe Flash Player 10.3.185.23 and earlier versions for Android before the end of the week of June 13, 2011.
To find out what version of Flash you have installed, click this link. Updates are available from the Flash player download page. Windows users who browse with something other than Internet Explorer will need to apply the Flash patch twice, once by visiting the download page with IE and a second time with Mozilla or Opera. Google Chrome users should already have the latest Flash update (automatically updated to Chrome version 12.0.742.100 for all platforms).
Update, 8:51 a.m. ET: Added information about another Flash update.