Feeds

The long road to Reader and Flash security Nirvana

Critical Adobe updates not easy to come by

The Power of One eBook: Top reasons to choose HP BladeSystem

Updated Adobe on Tuesday patched a hole in its ubiquitous Acrobat Reader program that allows attackers to remotely install malware without requiring unsuspecting users to do anything more than browse to the wrong website.

Real-world attacks targeting the vulnerability, which affects all versions of Reader, have been circulating for the past three weeks. The update is for Windows and Mac users only. Those running Reader on Linux will have to wait another one to two weeks before their patches are available. That seems like a long time to wait.

People who don't want Google toolbar foisted upon them are reminded to unclick the "install Google toolbar" checkbox, which can be easy to miss.

To be fair, those attacks are narrowly tailored and require victims to actually open a booby-trapped file. But researcher Didier Stevens has created a proof-of-concept attack that uses the Reader vulnerability to take control of a PC without requiring a user to double-click on anything.

The Reader vulnerability is only the latest security peril to be unleashed on the masses by software from Adobe. Two weeks ago, the company pushed out out a fix for critical vulnerabilities in its Flash player. According to researchers at Secunia, "at least one of them is quite nasty and does indeed allow remote code execution in a very reliable manner."

Like a lot of Reg readers, your reporter is the de facto system administrator for a lot of friends and family members. More than a week after Adobe released the Flash update, none of the 10 PCs in his care had automatically received it. That meant the patch had to be installed manually on each machine.

What's more, computers using more than one browser would appear to need two updates - one for Internet Explorer and another for Firefox. For an update so important, Adobe is certainly making us work awfully hard to install it, no?

Until Adobe makes the process more user-friendly, the best thing to do is to manually check each machine you care about using this link for Flash. We couldn't find a similar link for Reader, so the easiest way to make sure you're current is to open it and choose "check for updates" in the Help menu.

Better yet, use Secunia's Personal Sofware Inspector to stay on top of critical updates for hundreds of third-party applications. We also welcome feedback from Adobe on ways people can lessen the updating pain.

However you update your Adobe software, make sure that you do. The PC you save, may be your own. ®

This article was updated after Adobe released its patch. It was also corrected to reflect that the patch covers Mac versions of Reader, in addition to Windows versions.

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.