Feeds

Most Adobe Reader installs are out of date

Patchy patching leaves pdf backdoors open to intrusion

Using blade systems to cut costs and sharpen efficiencies

Six out of every 10 users of Adobe Reader are running vulnerable versions of the ubiquitous PDF reader package, according to stats from freebie anti-virus scanner firm Avast.

Adobe applications, behind only browsers and Microsoft Office as a favourite target for hackers, are regularly the target of Trojan-based hacking attacks, often featuring maliciously constructed attachments. Sometimes these attacks take advantage of unpatched vulnerabilities, a scenario applied to targeted attacks, but more often than not, malware writers attempt to exploit well-known, patched security bugs.

Users who fail to keep Adobe Reader up to date are therefore leaving themselves at a much greater risk of malware-based attack. Avast reckons 60.2 per cent of its customers who use Adobe Reader were running a vulnerable version of the program. Only 40 per cent of users had either the newest Adobe Reader X or were fully patched.

One in five users also had an unpatched version of Adobe Reader that was at least two generations old (8.x), it adds.

Adobe Reader was used by 80 per cent of Avast's users. The next most common PDF reader application, Foxit, featured in just 4.8 per cent of installations.

"There is a basic assumption that people will automatically update or migrate to the newer version of any program," said Ondrej Vlcek, CTO at AVAST Software. "At least with Adobe Reader, this assumption is wrong – and it's exposing users to a wide range of potential threats."

Knowing applications might be vulnerable, never mind keeping them up-to-date, is tricky, especially for non tech-savvy consumers. And if updating computers is laborious and time-consuming – as has historically been the case with Adobe software updates – this compounds the problem. Patching utilities, such as Secunia's PSI tool – which is free for consumers – can certainly help, but application developers also have a responsibility to make patching as painless as possible.

Although it is possible for users to be protected by running fully-patched versions of either Reader 8.x or 9.x, Adobe encourages users to upgrade to Adobe Reader X with Protected View (aka "sandboxing"). Windows users are further encouraged to opt into the automatic update option built into the latest version of Adobe's software.

The prevalence of malware attack against Adobe applications has encouraged some security firms, most notably F-Secure, to advocate the use of alternative PDF Reader packages, essentially because they are less likely to be attacked. As F-Secure points out, the PDF specification supports the ability to launch executables or run JavaScript, functionality that most legitimate documents will never need but features that provide rich pickings for malware creators.

"With specs like these, it's no wonder it takes ages for Adobe Reader to boot up and load all the plugins," Mikko Hyponnen, chief research officer at F-Secure, notes. "[And] It's no wonder there are regular security problems with PDF readers in general." ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.