Adobe Offers Unpatched Version of Reader - But Don't Panic
Adobe has talked a lot about security lately. A few months ago, the company announced it was changing its patching and development process. Now, officials at Secunia are reporting that the version of Adobe Reader available for download on Adobe's Website is both old and riddled with vulnerabilities.
According to Secunia, the version on the site is Reader 9.1, which has at least 14 security vulnerabilities that have been patched by the company in the past two months. The issue was discovered when users of Secunia's Personal Software Inspector (PSI) reported that the tool kept flagging the version of Reader they were running as vulnerable even though they had just downloaded it from Adobe.
Now in Adobe's defense, version 9.1 for Windows is the most recent full installer of the product, and versions 9.1.1 and 9.1.2 for Windows are only patches that require version 9.1 to be present.
"This is the reason users are offered Adobe Reader 9.1 via the "Get Adobe Reader" page on Adobe.com," an Adobe spokesperson said. "Once Adobe Reader 9.1 is installed, the Adobe Updater technology will subsequently offer the Adobe Reader 9.1.1 and 9.1.2 patches. Adobe Updater will check for updates immediately on first launch. Thereafter, Adobe Updater checks for updates every seven days from that first launch."
Alternately, users can manually apply the patches through the Product updates section of the site or click on "Help > Check for Updates" to make sure their product is up-to-date.
Given Adobe's explanation, Secunia's advisory may seem like something of a false alarm given that users cannot run the patched versions without installing the original edition. But Secunia's overall point - that users need to pay attention to whether or not their programs are patched - is absolutely true.
"PC users need to patch! They need to patch all their vulnerable programs and they need to do so as fast as possible after the patch has been issued from the vendor," Mikkel Winther, PSI Partner Manager, said in a statement. "Failing to do so is playing Russian Roulette with your IT security - it is only a question of time - and luck - when your system will be compromised."