Feeds

Most Adobe Reader installs are out of date

Patchy patching leaves pdf backdoors open to intrusion

Choosing a cloud hosting partner with confidence

Six out of every 10 users of Adobe Reader are running vulnerable versions of the ubiquitous PDF reader package, according to stats from freebie anti-virus scanner firm Avast.

Adobe applications, behind only browsers and Microsoft Office as a favourite target for hackers, are regularly the target of Trojan-based hacking attacks, often featuring maliciously constructed attachments. Sometimes these attacks take advantage of unpatched vulnerabilities, a scenario applied to targeted attacks, but more often than not, malware writers attempt to exploit well-known, patched security bugs.

Users who fail to keep Adobe Reader up to date are therefore leaving themselves at a much greater risk of malware-based attack. Avast reckons 60.2 per cent of its customers who use Adobe Reader were running a vulnerable version of the program. Only 40 per cent of users had either the newest Adobe Reader X or were fully patched.

One in five users also had an unpatched version of Adobe Reader that was at least two generations old (8.x), it adds.

Adobe Reader was used by 80 per cent of Avast's users. The next most common PDF reader application, Foxit, featured in just 4.8 per cent of installations.

"There is a basic assumption that people will automatically update or migrate to the newer version of any program," said Ondrej Vlcek, CTO at AVAST Software. "At least with Adobe Reader, this assumption is wrong – and it's exposing users to a wide range of potential threats."

Knowing applications might be vulnerable, never mind keeping them up-to-date, is tricky, especially for non tech-savvy consumers. And if updating computers is laborious and time-consuming – as has historically been the case with Adobe software updates – this compounds the problem. Patching utilities, such as Secunia's PSI tool – which is free for consumers – can certainly help, but application developers also have a responsibility to make patching as painless as possible.

Although it is possible for users to be protected by running fully-patched versions of either Reader 8.x or 9.x, Adobe encourages users to upgrade to Adobe Reader X with Protected View (aka "sandboxing"). Windows users are further encouraged to opt into the automatic update option built into the latest version of Adobe's software.

The prevalence of malware attack against Adobe applications has encouraged some security firms, most notably F-Secure, to advocate the use of alternative PDF Reader packages, essentially because they are less likely to be attacked. As F-Secure points out, the PDF specification supports the ability to launch executables or run JavaScript, functionality that most legitimate documents will never need but features that provide rich pickings for malware creators.

"With specs like these, it's no wonder it takes ages for Adobe Reader to boot up and load all the plugins," Mikko Hyponnen, chief research officer at F-Secure, notes. "[And] It's no wonder there are regular security problems with PDF readers in general." ®

Beginner's guide to SSL certificates

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
US government fines Intel's Wind River over crypto exports
New emphasis on encryption as a weapon?
To Russia With Love: Snowden's pole-dancer girlfriend is living with him in Moscow
While the NSA is tapping your PC, he's tapping ... nevermind
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Slap for SnapChat web app in SNAP mishap: '200,000' snaps sapped
This is what happens if you hand your username and password to a 3rd-party
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.