Security flaws in Adobe software? Well I never...
I suppose this is actually quite a good excuse for not putting Flash on the iPhone or iPad...
Adobe published an out-of-sequence update for its Reader and Acrobat software packages on Tuesday that tackles a brace of serious flaws. The cross-platform Reader and Acrobat update fixes a vulnerability in the domain sandbox of the PDF technology that opens the door to possible exploits, more specifically unauthorised cross- …
I go to http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows , and right now, the most recent patch listed there is for 12 Jan 2010, and is 9.3. The acrobat auto update gets you 9.3.1, but where's 9.3.1 if you are deploying acrobat rather than relying on the desktop users to click OK to a patch, and trusting them with admin rights?
http://get.adobe.com/uk/reader/ - 9.3.
Maybe they prefer you to turn on the product's internal update function. Or they're waiting for the rush of people doing that to die down.
The drawback is, some people will look for it on BitTorrent instead. That could be a bad mistake.
I just checked the redistribution site for Flash while dealing with Acrobat - if you're using tools like SMS or Zenworks it'll get you MSI installers. They haven't updated the MSI installers since Janaury 26th, which is the PREVIOUS Flash update, not the current one from last week. Because, you know, you wouldn't want to use your fancy management tools to push out a critical security update to your enterprise.
And now back to Acrobat.
If you've got Acrobat Professional, you can't get updated installers. You have to install 9.0 and patch it - and the patches aren't cumulative. 9.0 > 9.1 > 9.1.1 > 9.2 and so on. However, if you install Acrobat Pro 9.0 and then Reader 9.3 (say you don't want Pro as a browser plugin), the Reader installer modifies the Acrobat Pro installation so it at least thinks it's 9.3. To the point where the 9.3.1 Acrobat Standard/Professional patch will install on top of it. The Reader 9.3.1 msp file, of course, still has to be applied to Reader separately. Mind you, the Reader installer modifying Acrobat Pro doesn't seem to be documented anywhere. Who knows if it's actually fully updating Acrobat Pro.
They're reaction when we asked them about updated install media last month? Confusion, pointing out that we can download the 9.0 installer from the volume licensing site, and saying "Well, you'll be able to update to 10.0 when that comes out later this year".
I ditched Acrobat for viewing PDF files for two reasons. First it is a big piece of bloatware these days that wants to stay resident. Second it is 32-bit and I run a 64-bit version of Windows Vista now. I found that PDF-XChange has a native 64-bit version ( as well as a 32-bit version for 32-bit types ), runs very fast and uses very little memory. Highly recommended and they have a free version of people.
http://www.docu-track.com/
If you were foolish enough to think this is finally fixed you'd be
stunned to learn otherwise. Stunned if you had just crawled out from
under a rock.
According to Secunia this latest and greatest 'fix' from Adobe clusterf*ck
Systems Inc is just another foil to fool you, dear tool, er user.
Here's a link and everything.
It's not in PDF form so it must be true.
http://secunia.com/blog/75/
<ding!>
{ Adobe Updater }
Write Permission Error. The download cannot be saved to D:\Temp\Adobe because you do not have permission to create a file there. Make sure you have the proper permissions and then click Retry. Otherwise, click Change Location.
...
I told the updater to stick its rubbish in the Temp folder because I was sick of it scattering its crap around my disc. Permission error? Bollocks. The Adobe folder was probably auto-deleted in a Temp-Tidyup, but you - woeful Adobe - are too f**king stupid to think to ensure the required directory structure exists BEFORE you try writing there. And when it goes all tits-in-the-air instead of whinging "invalid directory" it instead complains about Permissions With Odd Capitalisation.
Fail, fail, fail, fail, fail, fail, fail, fail, bl**dy f**king FAIL!
[okay, I feel better now...]
PS: FAIL also for offering me 20-somethingMb of language pack I don't want for forms I won't fill in, over and over and over. At least WindowsUpdate has an option to tell unwanted updates to sod off and stop bothering me.
And of course it felt that I would benefit from having a shortcut to Reader on my desktop. Stupid arrogant gits. If I want a shortcut to something on my desktop I'll put it there myself. Of all the things I /might/ want a shortcut to Adobe Acrobat Reader is pretty much the least likely. It seems to integrate with my browser and/or launch itself when I double click so why would I want it on the desktop?
It gets better. There's an updater visible at ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/9.3.1/misc/ , which you need a username and password to actually download. I've registered to deploy acrobat reader, but I've never received such a password. Are they actually playing with us?
I recently migrated to a new syste and reinstalled Acrobat 8 Pro. It was already at 8.1.0. I needed 7 patches to get it to the current 8.2.1. This is getting rediculous.
BTW, Adobe's quarterly updates are bad. Now we have to wait up to 3 months [or in some cases more when they forget to disclose a vulnerability] to get updates and all these updates are fixes to vulnerabilities. They [at this point] aren't likely to release any new features for them. So why bother with the quarterly updates?