Adobe Patches & Communication

Well, Adobe are still not speaking to me: I’ve had no information about updates to address the recent Acrobat vulnerability/exploits to either of the addresses I subscribed to its Security Notification Service. (See PPPS below.)

However, something positive is happening out there in the old clay homestead: updates have arrived for a machine on which I have Acrobat 8, though not for the machine next to it, which still runs 7 (I’ll have to look at that issue in a minute).

In case Adobe aren’t speaking to you either, here’s what it recommends:

  • Acrobat Reader users: if you can, upgrade to Reader 9.1. If you can’t, go to 8.1.4 or 7.1.1. Adobe Reader for Unix 9.1 isn’t available yet, but is expected to be by the 24th March.
  • Acrobat users:
    • 9.x users should go to 9.1 (NB, there are different download links according to which version of Acrobat 9 you own (and, not unreasonably, which platform you run it on).
    • 8.x users should go to 8.1.4 (again, mind you use the right link)
    • 7.x users should go to 7.1.1 (several links)

PS: that Acrobat 7 issue… Updates were disabled on that machine because I wasn’t logged on as an administrator, and even when I did change logins, I had to download manually, only to find that 7.1.1 isn’t there yet.  Let’s hope Adobe catch up with themselves sooner rather than later.

I can see the point of disabling updates for unprivileged users in the business world (the principle of least privilege!), in that many IT teams would be unhappy about end users installing updates they hadn’t tested in the corporate environment. But what about home/SOHO (Small Office/Home Office) users who don’t have an IT team and don’t normally run as administrator (which is an entirely sensible practice that we often advocate)? It might be civil at least to let them know that there’s a problem and an update to fix it, in case they don’t happen to read The Register or blogs by those nice people from ESET.

PPS: updating re-enables Acrobat JavaScript. While the update presumably (hopefully) fixes the recent vulnerabilities, I’m not sure I’d care to assume that no further vulnerabilities will be found. You might want to consider our earlier advice to disable it unless you really have a need for it. If you don’t know if you need it, you probably don’t. (Though the "Getting Started" document that was also re-enabled to show at startup may not run properly without JavaScript.)

PPPS: there is, it seems, another way of getting information pushed  from Adobe. The Adobe Product Security Incident Response Team blog here  has an RSS feed here.  

Author David Harley, ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.