Adobe now only offers fully patched versions of Reader for download

As previously announced at the end of last month, Adobe is now only offering fully patched versions of its Reader product from the company's Download Centre. In the past, only the last major update of Reader, in this case version 9.3, was available from the get.adobe.com/reader/ page. Once installed, users were required to retrieve further patches through the application itself. A full version of the latest update, Reader 9.3.3, is now available to download directly from the Adobe Downloads portal.

Adobe's response comes as the result of criticism from a number of security experts pointing out that all newly downloaded and installed versions of Reader before the necessary patches were applied were initially vulnerable by default. The experts noted that, as the vendor's Reader and Flash Player products are two of the biggest gateways used by attackers, the company put its users under unnecessary risk.

It's worth noting that Adobe has taken a number of steps in recent months to improve the security of its products. In addition to regularly scheduled updates (and when necessary unscheduled ones) as part of its Secure Product Lifecycle SPLC, in mid-2009 Adobe announced that it would begin releasing it's security updates on a quarterly basis, with each quarterly update to coincide with a Microsoft Patch Tuesday.

Additionally, the company introduced an automatic update (silent update) feature in version 9.3.2 of Reader. By default, the updater downloads an update and requests user confirmation before installing it. Reader can also be configured to silently update and install available updates without requesting user confirmation.

See also:

• Adobe considers shorter update cycles, a report from The H.
• Adobe introduces automatic update for Reader, a report from The H.

(crve)