Installer available from the official download website is two versions behind

Jul 23, 2009 12:33 GMT  ·  By

Vulnerability research company Secunia has pointed out that Adobe is still serving Reader 9.1 from its official download website, despite this version being outdated and highly insecure. In its defense, Adobe explains that, at the first run after installation, the program notifies users of updates being available.

Secunia became aware of the problem after users of its own PSI (Personal Software Inspector) application complained that Adobe Reader was tagged as insecure, despite the fact that it was downloaded directly from Adobe. "A mistake in the Secunia PSI? Perhaps, but we are happy to learn that the Secunia PSI is correct, but surprised to discover that Adobe ships insecure software to their users!” Mikkel Winther, PSI partner manager at Secunia, writes on the Danish company's blog.

One should not be surprised, though, as this has been the standard practice at Adobe for a very long time. Clearly, a reputed vulnerability-research and -management company like Secunia is well aware of the patch-deployment procedures for one of the most attacked products at the moment. However, this doesn't make the practice ethically correct, at least from a security perspective.

Adobe claims it has solid reasons for shipping only single-dot releases, such as Adobe Reader 9.1, as full installers. According to Network World, Brad Arkin, the company's director for product security and privacy, explained that full installer releases had to pass a much more rigorous QA testing than security updates.

Therefore, releasing double-dot versions, like 9.1.1 and 9.1.2, which only include bug fixes, in a similar fashion, would actually increase the time of exposure to vulnerabilities for end users. To address this, Adobe installs an updater component that is supposed to immediately warn users of new updates when running the single-dot version for the first time.

While Secunia acknowledges this, it notes that this feature doesn't always work as expected and does not cover all scenarios. It exemplifies with a user who receives a PDF file packed with an exploit and does not have any PDF reader application installed. In this case, after getting Adobe Reader 9.1 from the official download site and installing it, the user's likely first action would be to open the PDF file they received and not to update the program.

Mr. Arkin acknowledged that there might be some PC configurations and other factors that would prevent the updater component to fire immediately at first run. For this reason, Adobe is looking into ways to make the updating process more solid and considers decreasing the frequency at which the updater is querying its servers to search for patches.

Adobe Reader 9.1.1 and 9.1.2 address a total of ten critical vulnerabilities, many of which allow for remote code execution. Some of them are still being actively exploited in the wild, as targeting flaws in older versions of popular applications, such as Adobe Reader or Flash Player, is a common practice in today's web-threat landscape. This is mainly because, regardless of how often developers release patches, the vast majority of users fail to install them.

Internet users who want to check if applications installed on their computers need updating, can download the free Secunia Personal Software Inspector (PSI) and run a scan.