Adobe still distributing old vulnerable Reader
Security service provider Secunia has reported that Adobe is still distributing versions of Adobe Reader that contain known vulnerabilities. On Tuesday, Adobe had warned in a security advisory of a critical vulnerability in version 9.3. Adobe stated it had released an out-of-series update to version 9.3.1 to fix the problem. However, users only get that more secure version through the update mechanism installed with Reader.
As a test by The H found, on the official download page Adobe is actually offering the old version. This was confirmed by The H Update Check which reported that the vulnerable 9.3.0 version was installed. Shortly after the built-in update mechanism in Reader kicked in and announced that a new version was ready for installation.
A similar problem occurred with Adobe in Summer 2009. Users should manually update by triggering the update mechanism (Select Help in Reader and then Check For Updates) immediately after installing the PDF reader - or just choose a safer alternative product.
See also:
- Two critical holes closed in Adobe Reader and Acrobat
- Adobe continues distributing insecure Reader
- The H Update Check
(djwm)