Feeds

Most Adobe Reader installs are out of date

Patchy patching leaves pdf backdoors open to intrusion

Boost IT visibility and business value

Six out of every 10 users of Adobe Reader are running vulnerable versions of the ubiquitous PDF reader package, according to stats from freebie anti-virus scanner firm Avast.

Adobe applications, behind only browsers and Microsoft Office as a favourite target for hackers, are regularly the target of Trojan-based hacking attacks, often featuring maliciously constructed attachments. Sometimes these attacks take advantage of unpatched vulnerabilities, a scenario applied to targeted attacks, but more often than not, malware writers attempt to exploit well-known, patched security bugs.

Users who fail to keep Adobe Reader up to date are therefore leaving themselves at a much greater risk of malware-based attack. Avast reckons 60.2 per cent of its customers who use Adobe Reader were running a vulnerable version of the program. Only 40 per cent of users had either the newest Adobe Reader X or were fully patched.

One in five users also had an unpatched version of Adobe Reader that was at least two generations old (8.x), it adds.

Adobe Reader was used by 80 per cent of Avast's users. The next most common PDF reader application, Foxit, featured in just 4.8 per cent of installations.

"There is a basic assumption that people will automatically update or migrate to the newer version of any program," said Ondrej Vlcek, CTO at AVAST Software. "At least with Adobe Reader, this assumption is wrong – and it's exposing users to a wide range of potential threats."

Knowing applications might be vulnerable, never mind keeping them up-to-date, is tricky, especially for non tech-savvy consumers. And if updating computers is laborious and time-consuming – as has historically been the case with Adobe software updates – this compounds the problem. Patching utilities, such as Secunia's PSI tool – which is free for consumers – can certainly help, but application developers also have a responsibility to make patching as painless as possible.

Although it is possible for users to be protected by running fully-patched versions of either Reader 8.x or 9.x, Adobe encourages users to upgrade to Adobe Reader X with Protected View (aka "sandboxing"). Windows users are further encouraged to opt into the automatic update option built into the latest version of Adobe's software.

The prevalence of malware attack against Adobe applications has encouraged some security firms, most notably F-Secure, to advocate the use of alternative PDF Reader packages, essentially because they are less likely to be attacked. As F-Secure points out, the PDF specification supports the ability to launch executables or run JavaScript, functionality that most legitimate documents will never need but features that provide rich pickings for malware creators.

"With specs like these, it's no wonder it takes ages for Adobe Reader to boot up and load all the plugins," Mikko Hyponnen, chief research officer at F-Secure, notes. "[And] It's no wonder there are regular security problems with PDF readers in general." ®

Gartner critical capabilities for enterprise endpoint backup

More from The Register

next story
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?