back to article Adobe spanked for insecure Reader app

Adobe Systems has been taken to task for offering outdated software on its downloads page that contains dozens of security vulnerabilities, several of which are already being exploited in the wild to install harmful malware on users' machines. Visitors who obtain Adobe Reader from the company's official downloads page will …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    But surely ...

    "Download, install, then update" -- is par for the course for anything from Adobe these days?

  2. Ian Bradshaw
    Paris Hilton

    FFS ...

    Just another example of the IT world presuming it's users have a clue about what to do.

    How hard can it be to replace an exe on a downloads page?

    Paris ... well, she's got the braincell of 99.9% of end users.

  3. Big Al
    FAIL

    And yet....

    ... pressing the 'check for updates' button on a (Czech localised) copy of Reader 7.0 (yes, seven point zero) returns a reassuring message telling me that no updates are available...

  4. Ben Bradley
    Jobs Horns

    Rubbish

    I pretty much hate everything about Acrobat and the PDF format now... I use Foxit Reader instead (super-fast). All I want to do is open a PDF and not wait for 10 seconds whilst doing it. I don't want it to open in my browser either.

    I hate this "PDF trying to take over HTML" stuff they've added in recent years... Javascript, forms etc.

    The full Acrobat Pro has become really annoying to use as well. I have to do a fair amount of combining and re-organising PDFs created by morons and there's so many interface things that they've got horribly wrong... 5 mouse clicks where a single dialogue box could do the trick etc.

    And Photoshop/Illustrator have gone a similar way too. Every time a new version comes out all the many functions are moved and menus re-organised. Pretty annoying

  5. Phil Koenig
    FAIL

    Adobe is the new Satan: true

    Adobe has taken over the role of "most hated software vendor" for me these days.

    First of all, they are pushing the most ridiculously bloated junk of anyone now.

    Secondly, their software loves to install all sorts of nearly-useless background processes that bog your machine down when you're not _doing_ anything with their applications.

    Lastly, they have adopted MIcrosoft's stupid tactic of obfuscating the update process, pushing "smart downloaders" on users rather than just updating their full installers. These kinds of vendors like that because they can play games like claiming "Download Now - only 500kb!" - when in fact all you are downloading is a snoopware installer that phones home and downloads the _real_ monster that you never bargained-for when you decided to do the install/update.

    Adobe actually has "updaters" available for Acrobat - but you really have to search for them. The worst part is you can't just easily install them (ie like back in the Reader 5.x/6.x days), there is some fiddly special procedure you have to go through that isn't documented. (unless you spend another 2 hours combing through the web trying to find out)

    I think all arrogant S/W vendors need to be subjected to a special form of painful torture.

  6. Jack Harrer

    @Ian Bradshaw

    Or offer as a standard small exe that downloads the current version with all hotfixes. Of course they should bury somewhere full pack for users that have more that 2 IT related brain cells.

  7. Ken Hagan Gold badge

    Re: FFS

    "How hard can it be to replace an exe on a downloads page?"

    Indeed, and how hard can it be to check for updates as part of the installation process? By the sound of things, you'd just need to fire up the reader with a "known safe" PDF file and let the existing code do its stuff. This approach is even better than updating the downloads page because it protects people who get Reader bundled with some other software. (This being a perversion much favoured by driver manufacturers.)

    Earth to Adobe: if you've gone to all the effort of creating a web-updates infrastructure and written the client code to use it then, er, why not use it?

  8. M7S
    Thumb Down

    Not helpful from Adobe

    We have to download the complete reader from the website to a server and then re-load it onto every PC here. Our firewall doesn't let the PCs update directly, so this is no good to us. I'm sure there are ways around this for the knowledgeable but we're a small enterprise and there are limits to our skills and budget. We've plumped for the safer firewall settings as the net benefit is greater.

  9. Julian I-Do-Stuff
    Unhappy

    And then...

    Does 9 automatically uninstall 8 first - or not? Doesn't say. I hate apps that fail to acknowledge previous incarnations of themselves.

    And BTW... why doesn't 8 find 9 when I check for updates?

    God I hate computers.

  10. David Gosnell

    Download, install, then update

    Or in my case: attempt to download, get bored waiting, think the better of it, then install Foxit Reader instead and never look back.

  11. Matthew Hepburn

    My advice to Acrobat users would be....

    To never touch the overweight, bloated, insecure crudware ever again.

    Get Foxit Reader, and experience a fast PC again. www.foxitsoftware.com

  12. Stuart Castle Silver badge

    Now this really takes the biscuit..

    I help manage a network of a few hundred PCs. Luckily I've been able to include the 9.1.2 update in with our Adobe Reader install, the testing for which has cost us extra time. We don't generally allow users admin rights (well, we do with some staff). Mainly because we found that where we did give users admin rights, the average time between setting up Windows and the machine being left unusable was 1 week.

    But, we have a mechanism in place where we can distribute patches fairly easily. It still would have been easier for Adobe to realease a new EXE though. Hell, where the users do have admin rights, they still tend to ignore requests to install patches.

    It's not good enough to just expect people to update. They won't. Look at the amount of viruses/trojans around that still exploit vulnerabilities patched in Windows several years ago, and Microsoft's automatic updates system can be quite hard to ignore. People still do it though (I realise that there are a lot of key numbers blocked from Windows Updates, but there aren't that many).

    It's not fair to say that all people will ignore the update prompts. Some won't, but enough do that it will be a problem. They may not ignore it deliberately. It may be a case of they run Adobe Reader to view a document, see the prompt to update and think "Oh, I am reading this, I'll do it later" and forget to run Reader again.

    My point is that there have been some serious bugs found in Reader recently. I don't think it's good enough that Adobe are expecting people to patch their download, no matter how easy the process may be. Especially when all they have to do is rebuild the full installer so it includes the patch.

  13. Anonymous Coward
    Anonymous Coward

    Adobe Updater

    Quick question.

    'Is Adobe Updater the worst program ever written?'

    None of my (legit) Adobe apps, installed with the default settings can be updated using this PoS.

  14. Anonymous Coward
    Anonymous Coward

    Adobe Updater

    Says it all, adobe simply wants you to run it.

    I'd like to know how to get rid of that piece a malware completely. I've disabled it, deleted it blocked it in the firewall and I still get pop-ups saying there's an update to adobe reader.

  15. Rumpelstiltskin
    FAIL

    @Ian Bradshaw

    Apparently it's just as hard as releasing non-incremental patches. Try updating version 8 of their reader to its latest version.

  16. Anonymous Coward
    Thumb Down

    There are better alternatives

    I stopped using Adobe Reader ages ago. There are better, less annoying, less bloated alternatives. Reader is a nightmare of slow, inefficient bloat. It's merely a reader ffs !

  17. James O'Brien
    Paris Hilton

    (Title Required My Shiney Metal Ass) :)

    "will notify users of any pending updates"

    How many of us here have seen someone with a copy of Reader thats just been installed and the user clicks 'Cancel' or 'Remind me Later(indefinatly)' therefore leaving themselves open?

    Me around 10k or so.

    Knobheads.

    /PH because she would never go around unprotected.

  18. Anonymous Coward
    Pirate

    Add me to the list of Adobe haters

    Aside from all that's bad about Adobe mentioned above let's not forget their patently unfair software price fixing they subject EU users to. I heartily recommend the piracy of all their software, especially the ridiculously overpriced Photoshop. The quicker this monster is slain the better, IMO.

  19. Anonymous Coward
    Anonymous Coward

    Just like Windows, then?

    "Download, install, then update".

  20. David Austin

    required

    Still on Acrobat 5.5 - the last light and responsive version they made.

    Probably not secure by any stretch, but the way I look at, version 7/8/9 is so bloated, it's actually more harmful than a malformed PDF.

  21. SteveK

    Breaks central installations too

    Like a good number of business environments, our users mostly just have standard user accounts so don't have rights to install updates so applications which only want you to update from within the application are a major pain. (As are applications whose sole use is in a corporate environment, dealing with personal data and financial records that expect - demand if you want support - the users to all have local admin rights, but that's a rant for another day)

    So I push out software centrally. To make things easy I set up a central installation of Acrobat Reader, customised with a transform to stop it installing Air and so on. Then, following Adobe's recommendations, patched that to 9.1.1. when 9.1.2 came out tried doing the same, but the installer failed. From searching the Adobe forums where a number of others were getting the same error it seems you can't apply the 9.1.2 patch to a 9.1.1 central installation. Instead you have to remove it, reinstall the bare 9.1.0 to your servers and then patch that.

    Argh!

    Steve.

  22. Tony Paulazzo
    Pint

    @ Ben Bradley

    Thanks for the Foxit pointer. Installed and running by the time it took to finish the comments. Word to the wise, manual install, unless you want Ebay links, a new toolbar and quick launch / desktop icons. Why (oh why) can't programs just install themselves anymore?

    I've now got quicktime alt and realvideo alt for the extremely rare times they are required. In fact, like all Apple software, I would've sacked Adobe software, but I grew up with Dreamweaver.

    A virtual beer for you :-)

  23. Anonymously Deflowered

    Download, install, update...

    ...bloat, update, bloat, update, .... ignore

    Pile of shit software. I want something lightweight, that loads quickly, displays the contents of a PDF and lets me zoom in/out and print. I've given up updating my software because the updates are so frequent and time consuming, and I'm sure I'm not alone in choosing to leave my software unpatched like this.

    If they removed the bloat, surely they'd also reduce the number of vulnerabilities?

    And anyway, why does software that displays the contents of a document even HAVE "vulnerabilities"?

  24. Psymon

    Adobe products are a huge problem on corporate networks

    ...for many reasons.

    non-standard installers for many of their products have proven to cause endless headaches when trying to deploy the packages over the network.

    Installer packages that ask for the product key on first run?

    Don't be stupid - I'm not walking round 300 machines manually entering the photoshop product key! On top of that, the installer only installs the registry keys and shortcuts for the currently logged on user. That's not even acceptable behaviour on home computers!

    Adobe still seem to be clinging to this antiquated concept of single user, single machine in console control, that shows just how immature and arrogant thie company still is.

    Every itteration of Acrobat since version 6 have made it a lesser, not better product. Yet more half-baked pointless features get piled into it while weaknesses in the core functionality remain unchanged. No wonder vulnerabilities have cropped up.

    So we have pretty big problems before we even get to the updating issue.

    There is absolutely no workable means of centrally managing Adobe updates - something that's critical for internet facing applications like Acrobat. Trust me, I've tried it all. - repackaging, MSP patch files, scripts...

    Instead you have to rely on your users to regularly patch and update these critical flaws </shudder>

    Discounting the real dross of software that no network manager worth his salt would allow to be installed (turdware punters like, realnetworks, Creative, Bonzi, Apple or Pointcast) and your left with Adobe holding the dubious prize of being the biggest chink in your networks armour.

  25. Anonymous Coward
    FAIL

    Firefox is just as bad

    I updated FF3 yesterday, and the check for updates only gave me FF3.5.

    I then had to do a separate update to FF3.5.1

  26. Steve 72

    What's Adobe?

    Gave it up years ago. Bloated insecure garbage.

    Consistently.

    Tracker (pdf-exchange) and Foxit (to name two others) do the job just fine.

  27. Albert Waltien
    Grenade

    @Psymon

    And on top of all that (o, so true!), Creative Suite 3 in an enterprise environment dumps massive config files in the user's profile so he has instantly exceeded his allowed profile storage space and he can't even log off unless he can figure out what happened (not half likely) and deletes the rubbish.

    Maybe we need a dog-droppings icon??

  28. Colin Barfoot
    Stop

    goes down like a ton of adobes

    You can try a manual update. For Windows the info is in

    http://swupmf.adobe.com/manifest/60/win/reader9rdr-en_US.upd

    and the patch is here,

    http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1.2/misc/AdbeRdrUpd912_all_incr.msp (6MB)

  29. Anonymous Coward
    Linux

    Its interesting ...

    Here in sad old geeky Linux-land PDFs and raw PostScript files just render in the native viewer, complete with bookmarks, thumbnails, etc. No Adobe reader needed (although there IS one for linux, which is totally pointless, just as bloated and slow) no third-party software needed. It all just works. Even within the browser.

    An additional plus is the thumbnails on the desktop of both PDF and PostScript files, too.

    Nice. And free. And very fast.

  30. Martin Edwards
    Thumb Down

    And for corporate users...

    At work I dutifully registered for Adobe's site license thing (I forget the name) for the 50-machine network I manage. I'm frustrated to report that when I follow the link in the resulting e-mail to download Reader (there's a version without AIR and Acrobat.com, which is nice) I'm served the 9.0 installer. After installation, on first run this prompts to be updated but only to version 9.1.0, then restarts Reader but fails to re-run the Updater; manually starting it this second time reveals the 9.1.2 patch which can then be installed.

    (These version numbers are from memory... I hope I've got them right).

This topic is closed for new posts.

Other stories you might like