Most Adobe Reader Users Running Outdated, Unpatched Versions

A majority of Adobe Reader users are not bothering to update the software to Version X, the latest available edition, making them highly vulnerable to targeted attacks using malicious PDF files.

Nearly six out of every 10 users are running an outdated version of Adobe Reader, leaving them highly vulnerable to PDF-based attacks, according to Avast Software. The anti-malware vendor analyzed the users who had avast antivirus installed on the computers and found that more than half of the users with Adobe Reader had an outdated and vulnerable version of the software, the company said. To be clear, that's not 60 percent of all the users running avast but 60 percent of avast users who happen to have Adobe Reader installed.

That seems like a really fine distinction to draw, except Avast found that only 80 percent of its users run Adobe Reader. Foxit commanded about five percent user share and the remaining 15 percent either didn't have a PDF reader or ran some other program.

"Attackers go where the users are," David Lenoe, head of Adobe's product security incident response team, told eWEEK during a briefing in June, noting that Reader and Acrobat are one of the most popular software programs in the world.

As for Avast, 60 percent of users with Adobe Reader is significant, and the breakdown reveals more interesting facts. Most of the users are running version 9, followed by version 8. There were even users still running version 3, which dates back to 1996. Considering that cyber-attackers regularly target Web browsers, Microsoft Office applications and Adobe software, including Acrobat, Reader and Flash Player, running such an old version is just asking to be attacked.

"There is a basic assumption that people will automatically update or migrate to the newer version of any program," said Ondrej Vlcek, CTO at AVAST Software, noting that assumption appears to be wrong with Adobe Reader.

Attackers regularly attach maliciously constructed PDF files to email messages and trick users into opening the file. While some of these rogue PDF files may exploit a zero-day vulnerability, more often than not, the malware writers are targeting well-known security flaws Adobe has already patched, knowing that many users wouldn't have updated their software.

With the introduction of sandboxing technologies in Reader X, the number of attacks has dropped dramatically, Lenoe said, but attackers continue to target older programs.

With this number in mind, it makes even more sense why Adobe is rolling out the automatic update option to its Acrobat and Reader users. There are just too many users out there who are not upgrading when prompted to and too many users whose vulnerability may potentially result in their work network being compromised.

Some enterprises prefer testing all updates to ensure there are no conflicts with all the other applications installed, Lenoe said. For those organizations, automatic updates will not make sense, but for most users, automatic updates will help make sure people are all up-to-date, Lenoe said.

Users should run Adobe Reader X since its sandbox technology has shown several times this spring at how well it is able to contain malware exploiting various zero-day vulnerabilities and keep the users safe. If for any reason they can't upgrade to X, they should at least run versions 8 and 9, since Adobe continues to regularly release security updates for those versions as well.

Many security companies, including F-Secure, recommend that users run alternative PDF readers instead of Adobe Reader. Users of other PDF Reader packages, such as Foxit, are generally safe for the time being because attackers haven't customized their attacks to those programs yet.

PDF files can launch executables and run JavaScript. These are features that most legitimate documents will never use, but are perfect attack vectors for malicious perpetrators. "It's no wonder there are regular security problems with PDF readers in general," wrote Mikko Hyponnen, chief research officer at F-Secure.

For those 40 percent of avast users with Adobe software who are running fully patched versions of Adobe Reader or had Adobe Reader X, keep up the good work.