Yesterday, Adobe released a security bulletin concerning a “critical vulnerability” in Adobe Reader and Acrobat software. These are the programs used to create and read PDF documents.
They plan to release a patch for Adobe Reader 9 by March 11th so be ready to update your software when it comes out. In the meantime, avoid opening PDFs (or any attachments) from untrusted sources.
{ 3 comments… read them below or add one }
Alternatively, instead of waiting, if you only need to view ISO-standard PDFs and don’t need the “active content” of the Acrobat Extensions, then you can uninstall Adobe’s Reader and download SumatraPDF or another reader from the vendor-neutral pdfreaders.org
Why does getsafeonline seem so reluctant to suggest replacing unsafe software with alternatives?
MJ Ray – I think there are two issues here. First, Adobe Reader is very widespread. With our alerts service and, in this case, via the blog, we try to warn people about vulnerabilities in widely-used software. Our alerts come from HM Government (CPNI) and they don’t include recommendations about installing alternative software. It’s just a CERT-like service. In this particular case the warning came up on CSIRTUK but for various reasons didn’t come up on our automated alerts service so we posted a blog warning instead.
For people who use Adobe Reader and Acrobat (or any other software, for that matter), it is just good advice to recommend keeping it up to date. People can make a judgement about whether one piece of software is safer than another and switch to alternatives if they want.
Second, as an organisation we have to be very careful about recommending one piece of software over another. In part this because we simply don’t have the resources to evaluate every piece of software on the market. Yes, I know we have commercial software companies as Partners but we work very hard to remain editorially independent of our sponsors. For example, we don’t actually *recommend* software but we do give examples of different kinds of packages. There’s a subtle but important difference. We include links to open source directories listing as many different packages in each category as possible. Similarly, we have advice for Mac, Linux, Opera and Firefox users.
We work hard to be vendor-neutral without being blind to what our readers actually use, do and understand in the real world. As with our discussion about public keys, encryption and digital signatures, there’s a big gap between ideal best practice (for some) and what is practical. It’s like you are a member of the Institute of Advanced Motorists and we’re just trying to get people to MOT their car, buy insurance and stick to the speed limit.
Yes, indeed, GSO has to be very careful about recommending one piece of software over another. That is why it’s important to link to vendor-neutral directories of alternatives when software is compromised and no fix is available. Staying up-to-date won’t protect Adobe users in this case.
And as with our discussion about public keys, encryption and digital signatures, it is shocking that GSO dismisses simple real-world working systems that are in use today as impractical “ideal best practice”.
I think your car analogy is fitting, but rather than I’m IAM, I feel it’s like I’m suggesting that people check their car is still roadworthy by current practice, while GSO is saying “do the bare minimum to get it through the MOT”. The MOT is not the requirement for cars and bare minimum security patches shouldn’t be the recommendation for computers.