Adobe Systems Inc. is urging users to update installations of Adobe Reader and Acrobat to fix a critical flaw that attackers have been exploiting to break into vulnerable systems.
The update brings Adobe Acrobat and Reader to version 9.3.3 (another update for the older 8.2 line of both products brings the latest version to v. 8.2.3). Patches are available for Windows, Mac, Linux and Solaris versions of these programs. Adobe’s advisory for this update is here, and the Reader update is available from this link — or by opening the program and clicking “Help” and “Check for Updates.” If you download the update from the Adobe Reader homepage, you’ll end up with a bunch of other stuff you probably don’t want (see below, after the jump for more on this).
If you use Adobe Reader or Acrobat, please take a moment to update this software. Users may also want to consider switching to other free PDF readers that are perhaps less of a target for malicious hackers, such as Foxit Reader, Nitro PDF Reader, and Sumatra.
It’s not hard to recommend almost any other PDF reader over Adobe’s. For starters, despite Adobe’s promises to streamline its update process, updating an Adobe product seems to have gotten far more complex over the past year or so. For instance, updating from Adobe’s Web site always pre-checks the installation of third party software, such as an anti-virus “security scanner” or a toolbar. This version of Reader also installs a program called “Acrobat.com,” an online PDF creation and manipulation manager. Incidentally, when you launch Acrobat.com from the icon the Reader update leaves on your desktop, another “mandatory update” is required for this product as well.
On top of that, the user is required to download the Adobe Download Manager, a program that has in the past introduced its own security vulnerabilities.
Many readers have asked about the purpose of the download manager, which is apparent with this month’s release: Adobe is using the Download Manager progress screen as an opportunity to pitch a number of other software titles available for download, apps made to work with Adobe Air, yet another multimedia component that comes bundled with each Reader update.
But the update process still isn’t complete. In fact, Adobe Reader at this point is only at version 9.3.0, and still needs to download an additional update to bring the user up to the latest version, 9.3.3. Getting that update requires opening Reader, waiting a minute or two for the Reader Update icon to appear in the Windows taskbar, and then double-clicking the install button. Windows users then need to restart their systems for the patch to take effect.
By the way, the vulnerability Adobe fixed in Reader and Acrobat also exists in Adobe’s ubiquitous Flash Player, but Adobe shipped an update to fix that flaw in Flash on June 10. If you haven’t already updated Flash this month, have a look at this post, which walks you through how to do that.