14 security holes
A security
outfit has complained that Adobe is delivering an out-of-date version of
Reader to users who download the popular application from its Web
site.
Danish vulnerability tracking vendor Secunia said that the version on
the the Adobe site offers includes at least 14 security vulnerabilities
that have been patched by the company in the last two months. It noticed Adobe was offering an outdated Reader when users of its Personal
Software Inspector (PSI) utility started complaining when the tool said they
were running a vulnerable version, even though they had just downloaded the
PDF viewer.
Mikkel Winther, the manager of the PSI partner program said
that users had downloaded the latest Reader, but still PSI was telling them
that it was vulnerable. Secunia was worried that PSI was throwing off a
"false positive," but that wasn't the case. The version now hosted on
Adobe's Web site, said Winther, is Reader 9.1, an edition that was released
March 10 to plug several holes, including one that had been actively
exploited by hackers since at least January.
Adobe has issued two security
updates since then. The first, released May 12, patched another "zero-day"
bug in Reader, while the second, issued June 9, fixed at least 13 critical
flaws reported by outside researchers and secretly patched an unspecified
number of bugs found by Adobe's own security team.
Adobe has defended its
antics saying that it was normal. Adobe Reader 9.1 for Windows is the most
recent full installer of the product," said a company spokesman. "Adobe
Reader 9.1.1 and 9.1.2 for Windows are patches that require Adobe Reader 9.1
to be present. This is the reason users are offered Adobe Reader 9.1 via the
'Get Adobe Reader' page on Adobe.com." (Even Microsoft offers instant-updates on it's products before installing, a wihile now. Ed.)