A majority of Adobe Reader users are not bothering to update the software to Version X, the latest available edition, making them highly vulnerable to targeted attacks using malicious PDF files.
Nearly six out of every 10 users are running an outdated version of
Adobe Reader, leaving them highly vulnerable to PDF-based attacks, according to Avast Software.
The anti-malware vendor analyzed the users who had avast antivirus
installed on the computers and found that more than half of the users
with Adobe Reader had an outdated and vulnerable version of the
software, the company said. To be clear, that's not 60 percent of all
the users running avast but 60 percent of avast users who happen to
have Adobe Reader installed.
That seems like a really fine distinction to draw, except Avast found
that only 80 percent of its users run Adobe Reader. Foxit commanded
about five percent user share and the remaining 15 percent either
didn't have a PDF reader or ran some other program.
"Attackers go where the users are," David Lenoe, head of Adobe's
product security incident response team, told eWEEK during a briefing in June, noting that Reader
and Acrobat are one of the most popular software programs in the world.
As for Avast, 60 percent of users with Adobe Reader is significant, and
the breakdown reveals more interesting facts. Most of the users are
running version 9, followed by version 8. There were even users still
running version 3, which dates back to 1996. Considering that
cyber-attackers regularly target Web browsers, Microsoft Office
applications and Adobe software, including Acrobat, Reader and Flash
Player, running such an old version is just asking to be attacked.
"There is a basic assumption that people will automatically update or
migrate to the newer version of any program," said Ondrej Vlcek, CTO at
AVAST Software, noting that assumption appears to be wrong with Adobe
Attackers regularly attach maliciously constructed PDF files to email
messages and trick users into opening the file. While some of these
rogue PDF files may exploit a zero-day vulnerability, more often than
not, the malware writers are targeting well-known security flaws Adobe
has already patched, knowing that many users wouldn't have updated
With the introduction of sandboxing technologies in Reader X, the
number of attacks has dropped dramatically, Lenoe said, but attackers
continue to target older programs.
With this number in mind, it makes even more sense why Adobe is rolling out the automatic update option
to its Acrobat and Reader users. There are just too many users out
there who are not upgrading when prompted to and too many users whose
vulnerability may potentially result in their work network being
Some enterprises prefer testing all updates to ensure there are no
conflicts with all the other applications installed, Lenoe said. For
those organizations, automatic updates will not make sense, but for
most users, automatic updates will help make sure people are all
up-to-date, Lenoe said.
Users should run Adobe Reader X since its sandbox technology
has shown several times this spring at how well it is able to contain malware exploiting various zero-day vulnerabilities
and keep the users safe. If for any reason they can't upgrade to X,
they should at least run versions 8 and 9, since Adobe continues to
regularly release security updates for those versions as well.
Many security companies, including F-Secure, recommend that users run
alternative PDF readers instead of Adobe Reader. Users of other PDF
Reader packages, such as Foxit, are generally safe for the time being
because attackers haven't customized their attacks to those programs
that most legitimate documents will never use, but are perfect attack
vectors for malicious perpetrators. "It's no wonder there are regular
security problems with PDF readers in general," wrote Mikko Hyponnen,
chief research officer at F-Secure.
For those 40 percent of avast users with Adobe software who are
running fully patched versions of Adobe Reader or had Adobe Reader
X, keep up the good work.