Adobe on Tuesday patched a hole in its ubiquitous Acrobat Reader program that allows attackers to remotely install malware without requiring unsuspecting users to do anything more than browse to the wrong website. Real-world attacks targeting the vulnerability, which affects all versions of Reader, have been circulating for the …
A great problem indeed
Adobe's updating definitely isn't what it should be. Adobe could choose the Apple approach -- install an updater utility that checks for updates and notifies the user -- but as far as I know, currently Flash and Adobe Reader will never phone home for updates unless they're already running. And I'm sure some Reg readers will commend this (arguably) less-intrusive approach. What definitely isn't cool is Flash's default check-for-updates interval of 30 days.
Perhaps the greatest problem with so many third party products, though, is that they can only be updated from an administrator account. Flash, Reader and Firefox suffer from this. I'm fairly certain that non-administrators won't even be notified that there are update(s) waiting, in the case of these three examples. Yet running day-to-day on an account with limited priviledges is something we are told we should do, and something I certainly recommend to all the people for whom I'm "the computer guy". So I think this is a great problem.
re: A great problem indeed
While I can understand why you think Adobe should have a separate systray app to check for updates, I'm torn on that issue. While I do think software products should have auto-update mechanisms that the user can choose to use (or choose to not use, if the user so desires), I feel that every product having its own updater is an unnecessary drain on system resources.
What software authors should do is agree on a framework by which product updates can be looked for, downloaded, and installed. That way, the user could install a single application which could keep all installed products updated (similar to the way various Linux distributions use one updater app, but instead of updating software packages from the distro's repository, the app would check for and update from each product's home). With that approach, the user would only need one updater app, thereby reducing the resources consumed and allowing much greater control over the updates (frequency of checks, choose whether or not to create a restore point before updating, update method [auto, download+notify, notify-only], etc). But for this to work, software authors would have to agree on a standard update method for checking versions of installed products, checking the product's home for the latest version, how to download the latest version (including any required user authentication), and how to update the software (whether the patch would be an .exe, .msi, or some other format). Preferably, Microsoft could integrate Windows Updates into such an updater so that all updates can be done from one app. It would be much more convenient for the user, and much less confusing to the user.
We have no titles. In fact, we don't need titles.
Been using FileHippo's Update Checker for a while now and that seems to work pretty well in keeping me up to date. It certainly spotted more out-dated software than Secunia PSI just did, and doesn't want an email address - which always reassures me, for some reason. Having said that, there's still no beating a regular perusal of your installed apps and services to see what needs pruning. But persuading my non-geeks of that is nigh impossible, so I'll just have to keep doing it for them...
One updater to rule them all!
How about a podcast or rss type mechanism from a central update app. Individual 3rd party apps (as opposed to OS updates) can register themselves and the updates show up in a single place.
I'm sure there are flaws with this idea, but it seems like a good place to start.
A chance for Stevie B to be a shining knight?
Yes, these things should be easily managed with an agreed format (XML schema?) that defines manufacturer, product, version, executable path, update check URI, update type and update check frequency. A simple low-overhead system process then looks after the notification of updates to the user, or automatically installs them, depending on the chosen settings for that product.
Homogenisation of user dialogs is always A Good Thing™, so if the updates always come from the same place and in the same style, then Joe User isn't going to be as afraid of them and we're more likely to see the updates applied in a timely fashion.
Microsoft already has much of this in place in Windows Update (poosibly excepting the low overhead bit!) and it will take Redmond to make this happen, so why not open WU up?
Windows and MacOSX both have reasonably decent update systems, but sadly only for the manufacturer's software. Opening this up to third party suppliers would be logical but they'd have to be extremely careful about security - and I'm not sure they'd want to check every update's source code personally to make sure it's not malicious.
My usage of Linux is limited but I was very impressed with the update system in Ubuntu - it appeared to me to package all relevant updates together quite nicely.
Adobe Updater is the spawn of satan. I really don't understand why I can't use a simple HTTP download to get something from Adobe, rather than using some stupid download client.
Boo on Adobe
First, the Reader and Acrobat (full) updates currently apply to version 9 only. Versions 7 & 8 will be out in a week. Unsure why they released the updates for version 9 as it probably doesn't account for 5% of the share. The Standard/Pro update clocks in at more than 110MB. Reader at 16MB.
Second, those using Active Directory *could* easily distribute any Flash update or version. problem is that version 10 doesn't seem to work well with AD. Version 9 works fine. I've reported the version 10 glitch and Adobe did nothing.
I think Adobe is doing a REAL crappy job of late. The CS4 suites seem to be so buggy. Something like over 1GB of updates already.
Acrobat 6.x running on Windows 98 is not vulnerable
I ran the POC code at milw0rm on win-98 running acrobat 6.0.2 and it seems not to be vulnerable to this Jbig exploit. Win-98 wins again over NT-based OS's.
Re: Boo on Adobe
"Versions 7 & 8 will be out in a week."
Ah, thanks for that. It explains why checking for updates revealed nothing. As it happened, I also tried to upgrade to 9.1 "manually", but the download manager was killed by McAfee on the grounds that it looked like it was "bo:heap".
Adobe are just *so* shit. It quite takes one's breath away.
Uninstall Adobe PDF Reader. Install Foxit Reader or any one of the other PDF readers available. Adobe Reader is just a piece of bloatware anyway.