BelchSpeak

I can't believe that came from your mouth!

Cyberfail

Adobe Offers Insecure Acrobat Reader Version as Download UPDATE: New 0-Day Attacks Exploiting Adobe Vuls

Someone sends you a document to look at, but upon opening, you learn that the doc is a Adobe PDF file and you need to have the free Adobe Acrobat Reader to view the file. So you go to Adobe and download the file they suggest you use. The problem is that the official reader version Adobe is distributing is critically flawed.

Secunia has the lowdown here:

There has recently existed some confusion amongst the users of the Secunia PSI as they are puzzled as to why the latest downloaded Adobe Reader version from Adobe.com is reported as insecure by Secunia PSI.

Is it a false positive? Due to the detection method (looking at the actual files available on the hard-drive of a PC) used in the Secunia PSI false positives are very unlikely.

A mistake in the Secunia PSI? Perhaps, but we are happy to learn that the Secunia PSI is correct, but surprised to discover that Adobe ships insecure software to their users!

The installation of Adobe Reader usually happens like this:

1) The user receives a PDF file (usually considered a “safe” file format), only to discover that there is no PDF reader on the PC.
2) The user visits Adobe.com to download the latest version of Adobe Reader from the official download site. When the installation is complete, the user has version 9.1.0 installed – both as a stand-alone program and as a browser plugin – which is known to be affected by numerous code execution vulnerabilities.
3) If the user opens a malicious PDF, the damage is done and the system could easily be compromised!

In Adobe’s defence: They do also automatically install the “Adobe Updater” on your PC when you install Adobe Reader, which eventually checks for updates for your new Adobe Reader installation. Hereafter, “Adobe Updater” dutifully notifies you about the fact that available updates are present, which of course, you need to click, agree to download, and wait for the installation to finish – all before you open that PDF file, which was the whole reason you installed Adobe Reader in the first place…

…remember: The criminals only need one unpatched program to compromise your machine!

It seems pretty irresponsible to me to distribute known bad software to users, especially in the face of exploits against that software existing in the wild.

UPDATE! New 0-Day attacks are targeting the newest version of Adobe Acrobat and Flash. Attackers appear to be using trojanized adobe documents to exploit a new vulnerability, so don’t open any attachments from people you don’t know.

Dr. Jones

Do not talk about fight club. Oops.

Leave a Reply

Your email address will not be published. Required fields are marked *