June 14, 2011

Adobe today issued more than a dozen security updates for its Acrobat and PDF Reader programs, including a feature update that will install future Reader security updates automatically. In addition, Adobe has shipped yet another version of its Flash Player software to fix a critical security flaw.

No doubt some will quibble with Adobe’s move toward auto-updating Reader: There is always a contingent in the user community who fear automatic updates will at some point force a faulty patch. But for better or worse, Adobe’s Reader software is the PDF reader software of choice for a majority of Windows computers in use today. Faced with incessant malware attacks against outdated versions of these programs, it seems irresponsible for Adobe to do anything other than offer auto-update capability to to Reader users more aggressively.

Adobe debuted this feature in April 2010, but at that the time Adobe decided to continue to honor whatever update option users had selected (the default has always been “download all updates automatically and notify me when they are ready to be installed”). With this latest update, Adobe will again prompt users to approve an auto-update choice, except this time the option pre-selected will be “Install Updates Automatically.”

I have long urged mere mortals (non-system administrators) to switch to a PDF reader that is less bulky and less targeted by cyber crooks and malware writers, such as Foxit, which also includes an auto-update mechanism. This advice is only reinforced when I read advisories like the one that shipped with today’s update, which may be decipherable by some but probably would completely mystify the average user:

“Adobe recommends users of Adobe Reader X (10.0.3) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1). For users of Adobe Reader 9.4.4 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1), Adobe has made available updates, Adobe Reader 9.4.5 and Adobe Reader 8.3. Adobe recommends users of Adobe Acrobat X (10.0.3) for Windows and Macintosh update to Adobe Acrobat X (10.1). Adobe recommends users of Adobe Acrobat 9.4.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.4.5, and users of Adobe Acrobat 8.2.6 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.3.”

In short, this update fixes at least 13 security holes, including a zero-day vulnerability in Adobe’s Flash player software that the company patched last week (the same flaw is present in Reader and Acrobat). The patch also addresses the three flaws in Adobe Reader X for Windows that were previously fixed in the other supported versions of Adobe Reader and Acrobat. If you use either the Mac or Windows version of Adobe Reader or Acrobat, you should select “Help,” and then “Check for Updates.” If there is an update available, please apply it. Here’s hoping that Adobe’s auto-update feature will be timely (not wait weeks after a new version is available to update the installed product) and that it won’t foist additional software — browser add-ons, toolbars and security scanning tools that often have accompanied previous manual updates.

Adobe also shipped another version of its Flash Player software, the second security update for Flash in less than a week (last week Adobe pushed out an emergency update to fix a flaw that attackers were already exploiting). Adobe said it identified a critical flaw in Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.23 and earlier versions for Android. Adobe urges users of Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 10.3.181.26, available now. Adobe expects to make available an update for Adobe Flash Player 10.3.185.23 and earlier versions for Android before the end of the week of June 13, 2011.

To find out what version of Flash you have installed, click this link. Updates are available from the Flash player download page. Windows users who browse with something other than Internet Explorer will need to apply the Flash patch twice, once by visiting the download page with IE and a second time with Mozilla or Opera. Google Chrome users should already have the latest Flash update (automatically updated to Chrome version 12.0.742.100 for all platforms).

Update, 8:51 a.m. ET: Added information about another Flash update.


43 thoughts on “Adobe Ships Security Patches, Auto-Update Feature

  1. Chris

    The big question for me is will this auto update feature also install extra software without your permission the way the adobe downloader does. I have nothing against auto updates but the way the adobe downloader just installs third party software without so much as a checkbox asking if you want it is totally unacceptable to me.

    1. Wiebke Lips, Adobe Systems Incorporated, San Jose, CA

      The Adobe Reader Updater (which is the update mechanism within the product) does not install any third-party software, regardless of whether the user chooses the automatic update option (available for Windows users), semi-automatic updates or manual updates.

      The vast majority of attacks we are seeing are exploiting software installations that are not current with the latest security updates. We therefore believe that the automatic update option is the best option for most end-users and strongly encourage users to choose this option.

      Third-party software is offered when downloading Adobe Reader from the Adobe Reader Download Center on the Adobe website as an option via a check box only, and users can uncheck the box, if they do not wish to install the optional third-party software.

      1. Al Mac

        Thanks for the clarification.

        Since the Reader is not doing this, perhaps you can itemize other Adobe products situation, since Flash seems to have upgrades more often than Reader.

        Problems I have experienced:
        * Trying to read the agreement after upload started … the page asking us if we have read the agreement, it blocks the agreement.
        * 3rd party stuff installed along with Adobe that we did not specifically request, and would have said no to had we had the opportunity to say no.
        * 3rd party stuff installed along with Adobe that we specifically said no, we did not want it installed.
        * Getting at the pages where we can review and adjust our Flash privacy settings.

      2. Kooberfacer

        Quite correct.Its actually amazing how folks are running xp machines with service pack 2 still installed on them.Adobe doesnt install third party software.They do have an auto updater they install with their software.

        The problem isnt adobe ,its the hackers who hack the software and then use it to exploit systems.

  2. Jim Popovitch

    Dump everything Adobe. Install Google Chrome (which comes with flash and a pdf viewer).

    1. qka

      Wrong! Chrome still uses Adobe software; it’s just installed and updated differently from other browsers.

  3. Morris

    Indeed, as you say Brian, Adobe is hardly the only game in town. There are offerings such as PDF-Xchange Viewer and Nitro PDF (combined reader and print to PDF utility) both of which offer several extra features inbuilt such as typing into forms, highlighting, annotation, etc for free. I’ve not used Adobe’s bloated set for quite a few years now.

    1. Russ

      I’ll chime in my recommendation to check out Sumatra if you don’t need a truckload of options. It is incredibly lightweight and responsive. Highly recommended for consumption, can’t speak for creation.

      Also, are the auto-updates quiet background installs?

  4. JBV

    Two problems after download of 9.4.5 update – any help would be appreciated:

    1. Cannot find screen, pictured above, for selecting update preference. There was no prompt during download. It is not in the Help tab.

    2. When I clicked on “About Adobe Reader 9” in the Help tab to double check version number, it locked up and would not close. Had to force shutdown of Windows7 to get rid of it.

    1. CloudLiam

      #1: Edit/Preferences/Updater

      #2: Open Event Viewer, expand Custom Views, click Administrative events and check the log for the error. You can also expand Windows Logs and click on Application to find it.

      1. CloudLiam

        I forgot to say that you should have been able to close Reader through the Task Manager or even better, Process Explorer if you have it installed.

        1. JBV

          Thank you very much – I appreciate it. The updater screen is really hidden away. (I did try Task Manager, but it wouldn’t close from there.)

    2. Wiebke Lips, Adobe Systems Incorporated, San Jose, CA

      With yesterday’s release, we turned on the automatic update option by default for all Adobe Reader users on Windows. The screen for the automatic update option will pop up the NEXT time the Adobe Reader Updater detects that a new update is available. The next quarterly scheduled update is currently planned for September 13, 2011.

  5. Orlando

    “Adobe today issued more than a dozen security updates for its Acrobat and PDF Reader programs.”

    Hah! Here we go again!
    I’m so glad I followed your advice a while ago and started using the free, open source Sumatra PDF instead. I only need to read .pdf files and it does that well enough for my purposes.

    Many thanks for the blog which I check daily.

    Orlando.

  6. muffin

    on your advice brian i switched from adobe to foxit for a pdf reader. i’m very happy with foxit. thanks!

  7. Al Mac

    The last time I patched Adobe, and every time, I say NO to all the add-ons offered. Last time it gave me McCaffey security anyway. I did not want it because I have AVG 2011 security, feared 2 different securities potentially messing with each other.

    After Adobe patch done, I read McC help and learned it would start nothing without my explicit action. 24 hours later I saw it starting a full system scan, without my request, which I stopped, then I un-installed McC.

  8. Francis Turner

    Will the do the same for flash?

    Either way this may also help against some of the social engineering attempts that do the “your flash/acrobat/… is out of date click here to update to a version that will display this content” trick.

  9. Jim J.

    Well, Adobe foiled me again. Will not allow uninstalling the reader. Error 1404 you do not have access to this code and reverses the uninstall process. In addition, nags to reinstall flash player with did uninstall….I thought. Reckon I’ll need to do some registry tweaking to get rid of Adobe reader.

  10. DosFreak

    “With this latest update, Adobe will again prompt users to approve an auto-update choice, except this time the option pre-selected will be “Install Updates Automatically.”

    So I guess instead of the current method where it will prompt the user to install but they cannot install because they are just a user (and the updater doesn’t use UAC) so it never update….

    Instead they won’t see a prompt at all and it will never update.

    Progress!

    Adobe/Java/Microsoft get off your asses and pushes updates out using Microsoft Update or fix your shitty updaters.

    1. John

      I was thinking the same thing. I would love to drop Adobe but the other PDF readers don’t work as well with most of the software I have to use.

  11. Technocrat

    FYI: In the first sentence of the last paragraph, you are missing the actual hyperlink for “click this link”.

  12. Katanchik

    Forcing a download (with extra stuff) is annoying, may be illegal and a show of insensitivity to the User’s community. Most of all to to System Administrators and Testers who are required to download Patches for different OS levels, before releasing it to own business Users.

    1. Wiebke Lips, Adobe Systems Incorporated, San Jose, CA

      Keep in mind that the automatic updates are not being “forced.” With yesterday’s release, we turned on the automatic update option by default for all Adobe Reader users on Windows. That said, because honoring the user’s choice is important to us, the user will be presented with the automatic update option screen (pictured in Brian’s article above) the next time the Adobe Reader Updater detects that a new update is available. Users can opt out at that time. However, we strongly encourage end-users on Windows to choose the automatic update option because staying up-to-date with software updates (for any software) is critical in today’s threat environment. The vast majority of attacks we are seeing are exploiting software installations that are not current with the latest security updates.

      In terms of third-party software, note that the Adobe Reader Updater (the update mechanism within the product) does not install any third-party software, regardless of whether the user chooses the automatic update option (available for Windows users), semi-automatic updates or manual updates.

      1. Al Mac

        I guess that either Yahoo Tool Bar and McCaffey Security are not considered to be 3rd party, or it is just my imagination that they came with Adobe updates.

        I distinctly remember being very annoyed during an Adobe patch where McCaffee got installed, and I was never given an opportunity to say no. That happened to me approx a week ago, so it is still quite fresh in my memory.

        I do now see opportunities to say no to Yahoo Tool Bar, which actually work. There was a time when I would say no, but it got installed anyway. Yahoo Tool bar is not a major problem, since I can tell my browser to make that line deactivated,

      2. MowGreen

        Weibke Lips posted ” However, we strongly encourage end-users on Windows to choose the automatic update option because staying up-to-date with software updates (for any software) is critical in today’s threat environment. The vast majority of attacks we are seeing are exploiting software installations that are not current with the latest security updates.

        In terms of third-party software, note that the Adobe Reader Updater (the update mechanism within the product) does not install any third-party software, regardless of whether the user chooses the automatic update option (available for Windows users), semi-automatic updates or manual updates. ”

        The automatic updater for FlashPlayer is extremely slow and does NOT offer the most current, supposedly, secure Version.

        EX: An XP SP3 system that had not been booted up since May 16th of 2011 had Version 10.3.181.14 installed.
        When it was started up on Monday, June 13th, instead of the auto updater offering the most recent Version at the time, v.10.3.181.23, it was offered v.10.3.181.16.

        A typical Home User, who would NOT be aware that v.10.3.181.16. was extremely vulnerable and was NOT the most current version starts browsing the web and their system could be exploited by malvertizing or a compromised site with NO User interaction required.

        As to using Internet Explorer to update Flash Player from this URL – http://get.adobe.com/flashplayer

        Why was the Google Toolbar included for installation with a *Security* update ?

        The practice of securing software with updates that include unwanted, unneeded “fluff” is contradictory to the purpose of Security updates.

        The tactic of “stealth” software installation is what one expects from malware authors, not legitimate software vendors.
        Yes, the User *should* read and decide for themselves whether they want this unrequested add-on, but in the real world, it’s a well known *fact* that a sizeable number of Users just click install, OK, or download.

        Security updates should secure vulnerable software and *never* include anything else.

      3. George Hill

        How exactly was my previous setting to “download but not install updates” overridden? And when was this setting overridden? Was the Adobe Updater silently updated? When? Adobe Reader just now (June 29) updated itself without my permission and I was not shown an “automatic update option screen”.

        1. Wiebke Lips, Adobe Systems Incorporated, San Jose, CA

          Hi George,

          The change to automatic updates by default was announced and made with our June 14 update (see http://blogs.adobe.com/asset/2011/06/notes-on-adobe-reader-and-acrobat-10-1.html for details). The notification screen about the automatic update option will be presented to you the next time the Adobe Reader Updater detects that a new update is available. You can opt out at that time, although we highly recommend accepting the automatic update option because the majority of exploits we are seeing are targeting outdated installations. The next quarterly update for Adobe Reader is currently scheduled for September 13.

        2. Al Mac

          For me, this is an intermittent problem.

          Some Adobe updates are perfect.
          I get the update I asked for, no hassles.

          Some install stuff I did not ask for.
          Some ask me, I say no, they install anyway.
          Some do not ask me, they install extras.

          I’d guess maybe 2/3 to 3/4 are perfect and 1/4 to 1/3 have unwanted surprises.

          There is one constant. Early in the process, Adobe wants us to confirm we read their agreement, and there’s a link for accessing the agreement, but the panel asking us to confirm totally blocks access to the agreement, so the only way we can read the agreement is outside the process of the patching, which is difficult to find outside that process, so what Adobe apparently wants of us:
          1. start the patching process
          2. get to the agreement request and do the link so we have a window on it
          3. abort the patching process, so we can read the latest version of the agreement
          4. restart the process, and now confirm that we had in fact read the agreement

  13. ALLEN

    Agreeing with Technocrat: where’s the hyperlink?
    I’m relatively new to all of this – any help would be appreciated. Thanks

  14. weaselspleen

    I’ve been saying it for years. It’s long past time for Microsoft to provide a single unified software updating method that’s available to all developers. It doesn’t need to be integrated with Microsoft’s own update service, though that would be ideal. Just a common API for handling updates for applications.

    Having half a dozen separate applications constantly running in the background just to check for updates is moronic, and the current state of affairs is so far beyond sanity that it’s busted out into an alternative reality where cockamamie nonsense is the law of the land.

    1. Orlando

      If the unified method suggested by weaselspleen is indeed possible then why is not done?

      I keep an eye on the list of programs started at boottime with C(rap)Cleaner and regularly need to disable/delete entries for things like Java and iTunes. As has been mentioned by Brian on many occasions, it would be good if I could to do away with Java but I’m afraid I need it.

      Orlando.

      1. CloudLiam

        I just had to hide an NVIDIA driver update I didn’t want so Windows Update would stop nagging me about it so it’s certainly feasible.

        Perhaps Wiebke could shed some light on why it’s not done?

    1. anonymous A

      Thanks, Mark. I was looking for this.

  15. Turnip

    Fedora and Ubuntu offer smooth, unified whole-system updates. The updater checks periodically, alerts me, and after I approve the updates, it downloads stuff from the distro and also from the websites of Adobe (Flash), Google (Chromium), etc.

    Why not Windows? I’m sure they could standardize it, but Windows is more complicated than Linux both technically and culturally (the file system locks files, everything has a clickwrap agreement, wizards ask questions). It’s a hard problem and the benefits would redound to Microsoft’s competitors. Maybe, when Microsoft comes out with a Windows app store, it will tie together the loose ends.

    1. Orlando

      Thanks for the remarks on “Why not Windows?”
      While a unified method would definitely be a worthwhile improvement of Windows, I guess it’s not the most exciting of things to talk about when promoting Windows 8, so it’ll never be made a priority “thing to do” by Microsoft.

      I bet you’re right, and the app store is the way it ultimately does happen.

      Orlando.

  16. John David Galt

    Having to update a product again and again shows that it was built on a security model that is broken from the word go. I never had to do this when I administered VAX/VMS systems. I’ll become a Windows convert when I see a Windows system that has stayed up 3 years without rebooting (I had that with VAX/VMS).

  17. phyllis schaeffer

    what’s going on here? today i got this message about a new comment to this post but it doesn’t have anything to do with the topic:

    There is a new comment on the post “Adobe Ships Security Patches, Auto-Update Feature”.
    http://krebsonsecurity.com/2011/06/adobe-ships-security-patches-auto-update-feature/

    Author: understanding health insurance
    Comment:
    Thanks for the strategies you discuss through this web site. In addition, lots of young women who become pregnant usually do not even attempt to get medical health insurance because they have anxiety they probably would not qualify. Although some states at this moment require insurers supply coverage regardless of pre-existing conditions. Rates on these kind of guaranteed plans are usually greater, but when thinking about the high cost of medical care it may be the safer approach to take to protect your financial potential.

    To see all comments on this thread please visit:
    http://krebsonsecurity.com/2011/06/adobe-ships-security-patches-auto-update-feature/#comments

    1. BrianKrebs Post author

      Phyllis,

      You subscribed to receive updates to this discussion thread, and some impolite spammer blasted a bunch of junk comments on several of my posts. They have been deleted. Sorry for the disruption. I’ve also edited your comment to remove the links to the offending post and to remove your email address, which is automatically included in those subscribe emails that you receive (you cut and pasted it all into your comment).

      Cheers,

      Bk

Comments are closed.