Security & Privacy + Software & Apps

Computerworld has published an interesting article explaining that “Adobe has acknowledged that some users are vulnerable to attack after downloading an outdated version of Reader from its Web site.” It turns out that when Adobe makes “single-dot releases” – such as Adobe Reader 9.1 – they issue full installers and provide them for download from their web sites. But minor updates – such as 9.1.1 – don’t get onto the web site for download. These updates are only available from Adobe Updater, an auto-update tool installed when you install Adobe Reader or other Adobe software.

“Patch-only updates are common in software, but the problem with Adobe’s practice is that it continues to provide an out-of-date edition that many times isn’t updated with the latest patches.” This means that when users read about a security issue regarding, say, Adobe Reader, and go to the Adobe web site to download the latest version of the program, that version is likely to not contain the security fix necessary.

We have to admit that we’ve been taken in by Adobe’s download policy. The last time we discussed an issue with Adobe Reader, we directed users to Adobe’s security bulletin, which, in turn, instructed them to download the latest version of the software from the program’s download page, rather than updating Adobe Reader using Adobe Updater. We’ll make sure, in the future, to recommend this latter method of patching Adobe software in the future, as they cannot be trusted to provide the proper versions of its programs on the web, as other vendors do.