Network News

X My Profile
View More Activity

Time to Update Your Adobe Reader

Adobe Systems is urging users who run the company's Adobe Reader software on Microsoft Windows computers to update to a new version of the popular PDF document viewer, after the company was alerted to several flaws that criminals could exploit to break into computers running the software.

reader_icon.jpg

From the Adobe advisory: "Critical vulnerabilities have been identified in Adobe Reader and Acrobat 7.0 through 7.0.8 that could -- although Adobe is not aware of any specific code exploits at this time -- allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious file must be loaded by the end user for an attacker to exploit these vulnerabilities. This issue is remotely exploitable. It is recommended that users update to Adobe Reader 8 or apply the workaround provided below."

I had Adobe Reader version 7 installed before applying the Adobe Reader 8 update, available for download from this link here. The "check for updates" feature in Reader 7 (select "Help" and the "Check for Updates") said I had the latest version of Reader -- when, of course I did not. So I downloaded the standalone installer, which cheerily replaced the previous version and installed the new one without issue (although it wasn't speedy, and this was on my super-fast machine).

Adobe says that users who for one reason or another can't upgrade to Reader 8 should replace a specific file in the program's directory. Instructions for how to do that are in the Adobe advisory's "Solution" section.

Most people reading this blog probably have some version of Adobe Reader on their machines that isn't version 8. Take a moment to check which version you are running (Click "Help," then "About Adobe Reader" if you're not sure) and update.

By Brian Krebs  |  December 8, 2006; 12:30 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: TSA Now Investigating Boarding Pass Hacker
Next: Monthly Microsoft Patch Release Won't Include Word Fix

Comments

I think Adobe deserves a scolding over how they seem to be handling 7.0.x Reader vulnerability. Telling an enterprise customer to jump versions or settle for some kludged-up "swap this DLL" solution is disappointing. An official MSI (or MSP patch) release simplifies and standardizes deployments and allows customers the breathing space they like to have before rolling out new versions of critical software components.

Posted by: Travis | December 8, 2006 1:37 PM | Report abuse

Instead of using the heavy, resource intensive adobe product, I've found fox it to be lightweight and pretty reasonable (doesn't handle 100% of pdf's, but its so fast, and doesn't bog down the system). of course its free (and i have no affiliation with them).

http://www.foxitsoftware.com/pdf/rd_intro.php

For every company's mistakes and bad practices - remember there are competitors...

Posted by: E O | December 8, 2006 1:41 PM | Report abuse

Time to Delete Your Adobe Reader:
Adobe Reader is bloated,slow and has security problems.
Replace it with the free Foxit Reader 2.0 for windows from Foxitsoftware.com. Download size 1.5meg, compare to 28 meg. for Adobe Reader.

Posted by: RLM52 | December 8, 2006 1:57 PM | Report abuse

I have Acrobat Standard on my machine, and no matter what I do, attempting to upgrade only the reader screws everything up. Everytime I try, I end up uninstalling and reinstalling the old version. I'm convinced they're doing this on purpose in an effort to force me to buy a new version of the software. Not likely.

Posted by: Becky | December 8, 2006 2:46 PM | Report abuse

To those recommending Foxit: how do we know it's any more secure than acroread? It doesn't appear to be open source...

Posted by: antibozo | December 8, 2006 2:50 PM | Report abuse

Weird. The Adobe security bulleting says that it affects Windows versions only, but I got a warning on my Mac that I needed to install it (along with 3 or 4 other updates). Then I got an error message that I didn't have the right version for at least one of the updates after they were all downloaded. Any idea whether this affeccts Macs?

Posted by: Spellman | December 8, 2006 3:01 PM | Report abuse

This seems far too conveniently timed to coincide with their big version 8 release. They should fix it in 7, not try to scare people into doing a major upgrade.

The version 7 series has been a nightmare, attempting to force reboots at the minor release level to run its resource sucking little autoupdate and "quick start" programs that actually measurably slow down the start time for my computer.

I recommend looking at the CutePDF suite for a cheaper, simpler solution. Even Microsoft Word 2007 can now export to PDF.

Posted by: matt | December 8, 2006 3:17 PM | Report abuse

I have Adobe 5.0.5 paid for on my machine (the whole suite) and I don't feel like paying $100 to upgrade. But I do feel like not having security holes.

So I downloaded the new version of Adobe Reader, and installed it, but it didn't work. So I uninstalled 5.0.5 and it still didn't work. So I uninstalled Reader 8.0 (and rebooted my system).

Then I installed Reader 8.0, then Adobe 5.0 then upgraded to 5.0.5. Restarted my machine again.

Now I managed to get Firefox to use the Reader 8.0, opening in that program rather than the plugin. IE interestingly was easy to disable the Adobe plugins, but when I go to a .pdf in IE, it says that it can't open the pdf file, but then opens it anyway, but in Adobe 5.0.5. Sigh.

Why do we put ourselves through all this? I've wasted an hour of my life. Now I'm going to go reorganize my start menu and delete annoying desktop icons that BOTH 5.0 and 8.0 have now put up, since there were no options (advanced or otherwise) to prevent this.

Posted by: Michael | December 8, 2006 4:51 PM | Report abuse

Has anyone else noticed the empty "Adobe" folder in the Start Menu after the install is finished?

It appears to be the folder that the old version put the "Download Manager". Either the download manager was deleted or the link wasn't created.

Either way, if other people are seeing this, then the "Adobe" installer is sloppy.

Posted by: Peter | December 8, 2006 4:58 PM | Report abuse

Brian--any comments on the comments? Still advise downloading? Thanks.

Posted by: helene | December 9, 2006 7:14 AM | Report abuse

I have the same problem with Mac as the reader (Spellman) above. No update past 7.0.5 has worked.

Posted by: John | December 9, 2006 12:25 PM | Report abuse

I'm giving Foxit a try, thanks, and I'm anxious to see how the two compare.

Bottom line, if you're not ready to uninstall Adobe, update it. Then go download and try an alternative reader and decide on which you like best. Then come back here and tell us what you decided.

Posted by: Bk | December 9, 2006 2:47 PM | Report abuse

In the past Adobe Reader was a great piece of software. But now it's bloated and buggy and has suffered many security issues.

So, I've decided to dump Adobe Reader. Currently evaluating Foxit or may just forgo any PDF reader.

I dumped Quicktime about a year ago and Real Player two years ago for the same reasons. If a website requires these products, I refuse to frequent that site and find an alternative.

These days, it is becoming imperative to limit the amount of software installed on a system to greatly lower its attack surface, as well as, reduce patch maintenance.

Of course, to really lower your attack surface: run as a non-admin!!!

Posted by: Tim | December 9, 2006 7:02 PM | Report abuse

I tried 3 times to download Adobe Reader 8 from the website: never got beyond the dialog box saying "waiting for a connection", even after 10 minutes.
I guess I'll wait until the update shows up in my "check for updates" feature.

Posted by: Mary Fran | December 10, 2006 10:56 AM | Report abuse

Security & foxit reader.

No, it's not open source (which doesn't assure greater security, but at least allows people to evaluate security - good guys and bad guys, easily). I would say that it undoubtedly has a smaller number of attack vectors (less functionality = less things that could go wrong with it).

On a day-to-day level, it makes PDF viewing considerably less painful - shorter load times, quicker response, all due to its smaller size. (no kitchen sink with this).

Finally, while it may not be intrinsically more secure, hackers are less likely to target it because it has dramatically lower install base (this has helped OSX as well).

Posted by: E O | December 10, 2006 2:01 PM | Report abuse

Security & foxit reader.

No, it's not open source (which doesn't assure greater security, but at least allows people to evaluate security - good guys and bad guys, easily). I would say that it undoubtedly has a smaller number of attack vectors (less functionality = less things that could go wrong with it).

On a day-to-day level, it makes PDF viewing considerably less painful - shorter load times, quicker response, all due to its smaller size. (no kitchen sink with this).

Finally, while it may not be intrinsically more secure, hackers are less likely to target it because it has dramatically lower install base (this has helped OSX as well).

Posted by: E O | December 10, 2006 2:02 PM | Report abuse

I guess people didn't get as excited as Adobe over their DRM-laden V8 upgrade. So they have to announce vulnerabilities in the V7 line, which of course will never be fixed.

Most product upgrade pages have a "new features", or "what has changed in this release" page. But you really have to dig around to find this information about Adobe 8. Foxit is looking better and better.

Posted by: M Neuss | December 11, 2006 8:59 AM | Report abuse

With version 7.0.8, "Check for Updates" listed a security update that was something like "download to unininstall old installer". (If memory serves.)

Anyway, I did that, and "Check for Updates" still doesn't mention the existence of a version 8.

Posted by: JohnJ | December 11, 2006 4:50 PM | Report abuse

I WANT TO TAKE A READING PRATICE QUIZ


Posted by: JUAN ESPINOZA | December 14, 2006 8:43 PM | Report abuse

I can't find where to turn off the auto-update feature of Adobe Reader 8.0.0.

Also, I still want to perform updates, but just when I choose.

Posted by: Dennis | December 20, 2006 5:53 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company