Adobe continues distributing insecure Reader

Adobe's "Get Reader" page still offers the unpatched Reader 9.1 In the last few months, after security flaws were found in Adobe Reader, Adobe has updated version 9.1, first to 9.1.1 and then to 9.1.2, to close those security holes. However, security experts Secunia have noticed that Adobe continues to distribute version 9.1 from their website. The H verified that Adobe does still offer version 9.1 on the Adobe Reader download page for Windows and Mac users, although Linux users are offered version 9.1.2.

The likely problem scenario is that a user receives a malicious PDF file and then, finding no PDF reader installed, installs Reader from the official Adobe web site, and runs it to view the PDF. As the Reader is unpatched, the malicious PDF can exploit the users system. In mitigation, Secunia does note that the 9.1 installer also installs Adobe Updater which will, eventually, check for updates and bring the software up to date. Adobe should follow best practices though and update their distribution packages with security fixes, rather than allowing an updater application to patch the application some time after installation.

If Adobe Reader has been installed recently, check your version number by selecting "Help" then "About Adobe Reader 9". If it is not version 9.1.2 (the current version), run the Adobe Updater to get the latest fixes or download the latest updates.

(djwm)