June 29, 2010

Adobe Systems Inc. is urging users to update installations of Adobe Reader and Acrobat to fix a critical flaw that attackers have been exploiting to break into vulnerable systems.

The update brings Adobe Acrobat and Reader to version 9.3.3 (another update for the older 8.2 line of both products brings the latest version to v. 8.2.3). Patches are available for Windows, Mac, Linux and Solaris versions of these programs. Adobe’s advisory for this update is here, and the Reader update is available from this link — or by opening the program and clicking “Help” and “Check for Updates.” If you download the update from the Adobe Reader homepage, you’ll end up with a bunch of other stuff you probably don’t want (see below, after the jump for more on this).

If you use Adobe Reader or Acrobat, please take a moment to update this software. Users may also want to consider switching to other free PDF readers that are perhaps less of a target for malicious hackers, such as Foxit Reader, Nitro PDF Reader, and Sumatra.

It’s not hard to recommend almost any other PDF reader over Adobe’s. For starters, despite Adobe’s promises to streamline its update process, updating an Adobe product seems to have gotten far more complex over the past year or so. For instance, updating from Adobe’s Web site always pre-checks the installation of third party software, such as an anti-virus “security scanner” or a toolbar. This version of Reader also installs a program called “Acrobat.com,” an online PDF creation and manipulation manager. Incidentally, when you launch Acrobat.com from the icon the Reader update leaves on your desktop, another “mandatory update” is required for this product as well.

On top of that, the user is required to download the Adobe Download Manager, a program that has in the past introduced its own security vulnerabilities.

Many readers have asked about the purpose of the download manager, which is apparent with this month’s release: Adobe is using the Download Manager progress screen as an opportunity to pitch a number of other software titles available for download, apps made to work with Adobe Air, yet another multimedia component that comes bundled with each Reader update.

But the update process still isn’t complete. In fact, Adobe Reader at this point is only at version 9.3.0, and still needs to download an additional update to bring the user up to the latest version, 9.3.3. Getting that update requires opening Reader, waiting a minute or two for the Reader Update icon to appear in the Windows taskbar, and then double-clicking the install button. Windows users then need to restart their systems for the patch to take effect.

By the way, the vulnerability Adobe fixed in Reader and Acrobat also exists in Adobe’s ubiquitous Flash Player, but Adobe shipped an update to fix that flaw in Flash on June 10. If you haven’t already updated Flash this month, have a look at this post, which walks you through how to do that.


29 thoughts on “Security Updates for Adobe Acrobat, Reader

  1. JBV

    Thank you, Brian. Your reminders are invaluable.

  2. JL

    The biggest PITA that Adobe pulled with Reader occurred when they released v9 and removed the Multiple Document Interface (MDI) capability on some nonsensical grounds that the Mac doesn’t do MDI.

    MDI is what lets you use the menu bar Window command and open multiple PDFs from one running copy of a program. Removing MDI capability means each time you open a PDF it launches another copy of Reader in a different place on the monitor. If you work in a business that routinely does document reviews, this is the stupidest thing that they could have done. That’s why we rolled everyone back to v8 and are trialing a replacement program for Reader and Acrobat itself.

    http://blogs.adobe.com/acrobat/2008/09/mdi_vs_sdi_in_acrobat.html – Sept. 2008:

    “Going forward the Acrobat Product Management team has started exploring alternative ways to accomplish some of what is so loved about MDI mode. While we can’t comment publicly on that at this time, please know that we have heard you.”

    And ignored you.

    1. Brian Krebs

      JL– Today’s press release from Adobe promises they are still listening. The comments here might be a good way to tell them what you think.

      From the release:

      “We are Listening: A note that the security of our users continues to be a key priority for Adobe. As part of our commitment to product security, we are listening to the feedback from our users and the community at large. That feedback is paramount, as we continue to develop new capabilities that further strengthen the security of our products.”

    2. Joe

      Check out PDF-Xchange Viewer (free) from http://www.tracker-software.com/

      Pluses are tabbed interface, typewriter mode (type over the top of a document, mark it up, “fill-in” a non-form), save your markup and filled-in forms, and pocket version that can run from a shared folder – update in one place for all your users.

  3. Dave Newbern

    I took the easy way out and ditched all of my Adobe software. I am now using Foxit and find that things are much faster and that I can now open pdfs on pages that Adobe had problems opening!

    1. Jimmy

      I would recommend disabling Javascript in Foxit reader also.

  4. Bob

    Sign up for the redistribution program. You get direct access to download the install exe and any msp files to run the updates. No download manager, no third party apps.

    Of course, having to do this just to keep software updated is a joke, but it does simplify things.

    1. george

      I’ve tried to, but they rejected me on the ground that I provided an email address with a free provider (Yahoo).
      Point one: They could have specified somewhere during application process a free email account is not accepted.
      Point two: Technically the email account provided by my employer is not mine and I cannot risk exposing it to any spam. Plus I lose access to it once I change jobs.
      Even directly downloading the .exe file as suggested by Brian and other Internet sources still pushes on you the Adobe Download Manager when updating to 9.3.3. For me this was the last drop, on some computers I own I switched to Foxit, on others to GhostScript/GhostView. I’m extremely happy with both. I hope for their own sake Adobe is listening and will act sometime on the complaints, their ReaderI used to love in versions 3.X to 6.X becomes a typical example of bloatware. Thank you, Brian for standing up to this, your voice should certainly weight a lot for software vendors, especially when their products are lately preferred vectors for virus infection.

  5. Aviv Raff

    You should all update flash/reader ONLY through the direct download links.
    Installing the Adobe Download Manager can expose your computer to potential threats.
    e.g. An attacker can use it to automatically install Google Toolbar, McAfee Scan Plus, or other Adobe products. No user interaction needed.
    Adobe have decided to downplay this issue, and ignore my requests (over 4 months ago) to fix this.
    More info: http://aviv.raffon.net/2010/02/15/MayTheForceBeWithYou.aspx
    http://aviv.raffon.net/2010/02/18/SkeletonsInAdobesSecurityCloset.aspx

  6. Dirgster

    Thanks for keeping so many of us safe out there, Brian!

    What are the steps to uninstall Adobe Download Manager?

  7. JackRussell

    I tried Foxit for a while, but if I clicked on a link to a PDF file from Firefox, half the time Foxit would hang while the pdf file was being downloaded. I would have to kill it from the task manager and then try and open the pdf again, and that time it would work.

    So I got tired of this nonsense and went back to Adobe.

  8. JCitizen

    Thankfully I use Foxit. It has updated twice in the last week. Seems they are even busier than Adobe in keeping ahead with improvements and security. I rarely get a flag from Secunia PSI anymore.

    It works flawlessly and with nary a problem on Vista x64 Home Premium.

    1. JBV

      I’d be interested in knowing why you believe software that needs updates twice in one week is safe?

      1. Jared

        I am sure the point is that it is actually maintained and has a tight feedback to release cycle. With the adobe products it’s clear it’s not that tight and there are some obvious gaps identified in this article that would bear some thought and improvement.

        If someone releases another 0-day today how long would it take for adobe to updaate?

        I’m certainly not in favor of daily releases for all cases but waiting a month or more for fixes does seem long in the asymmetrical threat environment we all face.

  9. me

    I’ve noted that with Adobe, if you close Reader after the update window opens, then start the download and follow with the update installation, the os restart is not required.

  10. Doug

    I agree that there are some, I’ll call them ‘business direction’, issues surrounding some of the add-ons with Adobe Reader. However, if you truly need a PDF viewer that provides you exactly what is in the PDF there is no substitute for Adobe’s product.

    Adobe Reader is the only one that accurately supports all the capabilities possible in a PDF.

    As an individual you use what ever software you are most comfortable with and/or can afford. As a business you use the software that will give you the fewest problems OR will make you the most money. In my professional opinion that is Adobe’s product over the others. We do look at and test the other products. There is always some ‘issue’ we find with the clones.

    For more information on this I suggest you read Duff Johnson’s blog entry http://www.appligent.com/talkingpdf-thestandardforpdfisreader

  11. qka

    The other long standing problem with Acrobat: it was slooooooooowwwwwww.

    So slow, it could be said to violate the A of the CIA of InfoSec: Availability.

  12. Jim

    I would rather take the chance of being compromised than go through the hassle of updating Adobe, which is a never ending adventure. What a mess.

  13. Al

    Adobe Reader 9.3.3 has one more important change to it besides fixing the outstanding security flaws.
    Previous version of Adobe Reader 9.3.2 and earlier allowed a PDF to open an external application. After the 9.3.3 patch, if you open a PDF that attempts this, a message is displayed telling you what application that the PDF tried to launch and that (opening the application) “This is currently disallowed by your system administrator.”
    Prior to 9.3.3, you had to uncheck the “Allow opening of non-PDF attachments with external applications” option in Edit – Preferences – Trust Manager to prevent this potentially dangerous feature.

    1. ted

      I might use chrome as my pdf reader and firefox as my web browser.

  14. GG

    Another nuisance updating Acrobat reader — the process registers multiple programs for execution at PC boot. My startup monitor traps those and asks for confirmation — which I generally refuse. They’re usually unnecessary program fast-start stubs which bog the machine down and clutter the boot process. Install/update processes should indicate which boot registrations are optional (e.g., for program fast start) and which are required to complete the install/update.

  15. Kevin

    Since the update to 9.3.3 I’ve received an error message stating “”This application has failed to start because lsapiw32.dll was not found. Re-installing the application may fix this problem.”

    Other reports of the same problem are cropping up on the Adobe community site at:
    http://forums.adobe.com/message/2942744#2942744

  16. Tim Rowe

    The link about launcing external applications says “If your organization relies on this capability, we recommend that the functionality be re-enabled”, but I can’t find out how to do that 🙁

Comments are closed.