Adobe offers flawed version of Reader after update
by Steve Ragan - Feb 18 2010, 16:00Adobe released the promised patch for Reader and Acrobat on Tuesday, addressing two critical vulnerabilities in the PDF software. However, users who download the update directly from the main Adobe website are given version 9.3, not the patched version 9.3.1.
In a security advisory, Adobe said they discovered a pair of critical vulnerabilities in Adobe Reader and Adobe Acrobat version 9.3. In addition, the same vulnerabilities were located in installations of Reader 8.2 and Acrobat 8.2.
“As described in Security Bulletin APSB10-06, this vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system,” the Adobe advisory states.
The images below detail the process of downloading Adobe Reader from the main link on Adobe’s website.
Following the Get Adobe Reader link will serve up the 9.3 version of the software, and once installed, offer an update. However, if the update is ignored or disabled, then the user is vulnerable.
While offering an update after installation is a good thing, the prompt took about five (5) minutes to appear. On another test system, the notice has yet to arrive, however the check for updates link in the help menu offers it instantly.
It is unclear why Adobe is offering the previously flawed version of Reader via its direct link. While Adobe encourages that updates are applied immediately, in addition to programming the Reader software to download updates automatically, it is up to the user to install them.
The download updates for manual installation option is default in Reader. Moreover, some users actually disable the Adobe Updater software, skipping new versions of the software altogether.
Past results have shown that users are likely to ignore patch installations for some time before they are applied, despite advice otherwise, for various reasons. Assuming that they will see the update alert and install it immediately is just awkward. It would be safer to push new versions via download links from the day the patches are released.
A recent report from Scan Safe says that in Q1 2009, 56-percent of exploits encountered on the Web used a malicious PDF file in the attack; this number grew to 80-percent by Q4 2009.
With that in mind, for those of you who went to the main Adobe portal and followed the links to download the new version of Reader, you are potentially at risk until Adobe updates the download links.
To mitigate this, the first step is to check for updates. The fastest way to do this is to open Reader, click Help, and then the Check for Updates link. You should download all available patches.
Under the Edit menu while Reader is open, click Preferences, and under the Updater menu, you should select the “Automatically install updates” option. If you prefer to install them on your own time, you should make it a point to remain consistent with your patching. (Checking for and installing updates weekly is a good idea.)
While in the Preference menu, you should also select the JavaScript section and disable JavaScript if you don’t need it.
To do so, just uncheck the box marked Enable Acrobat JavaScript. Most exploits leveraging PDF files take advantage of flaws in Adobe’s use of JavaScript, so disabling that option limits the attack surface offered to criminals.
Comment on this Story