Feeds

Most Adobe Reader installs are out of date

Patchy patching leaves pdf backdoors open to intrusion

Securing Web Applications Made Simple and Scalable

Six out of every 10 users of Adobe Reader are running vulnerable versions of the ubiquitous PDF reader package, according to stats from freebie anti-virus scanner firm Avast.

Adobe applications, behind only browsers and Microsoft Office as a favourite target for hackers, are regularly the target of Trojan-based hacking attacks, often featuring maliciously constructed attachments. Sometimes these attacks take advantage of unpatched vulnerabilities, a scenario applied to targeted attacks, but more often than not, malware writers attempt to exploit well-known, patched security bugs.

Users who fail to keep Adobe Reader up to date are therefore leaving themselves at a much greater risk of malware-based attack. Avast reckons 60.2 per cent of its customers who use Adobe Reader were running a vulnerable version of the program. Only 40 per cent of users had either the newest Adobe Reader X or were fully patched.

One in five users also had an unpatched version of Adobe Reader that was at least two generations old (8.x), it adds.

Adobe Reader was used by 80 per cent of Avast's users. The next most common PDF reader application, Foxit, featured in just 4.8 per cent of installations.

"There is a basic assumption that people will automatically update or migrate to the newer version of any program," said Ondrej Vlcek, CTO at AVAST Software. "At least with Adobe Reader, this assumption is wrong – and it's exposing users to a wide range of potential threats."

Knowing applications might be vulnerable, never mind keeping them up-to-date, is tricky, especially for non tech-savvy consumers. And if updating computers is laborious and time-consuming – as has historically been the case with Adobe software updates – this compounds the problem. Patching utilities, such as Secunia's PSI tool – which is free for consumers – can certainly help, but application developers also have a responsibility to make patching as painless as possible.

Although it is possible for users to be protected by running fully-patched versions of either Reader 8.x or 9.x, Adobe encourages users to upgrade to Adobe Reader X with Protected View (aka "sandboxing"). Windows users are further encouraged to opt into the automatic update option built into the latest version of Adobe's software.

The prevalence of malware attack against Adobe applications has encouraged some security firms, most notably F-Secure, to advocate the use of alternative PDF Reader packages, essentially because they are less likely to be attacked. As F-Secure points out, the PDF specification supports the ability to launch executables or run JavaScript, functionality that most legitimate documents will never need but features that provide rich pickings for malware creators.

"With specs like these, it's no wonder it takes ages for Adobe Reader to boot up and load all the plugins," Mikko Hyponnen, chief research officer at F-Secure, notes. "[And] It's no wonder there are regular security problems with PDF readers in general." ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.