Confused by Adobe? There’s a security update in there somewhere!


If you’ve been following Adobe news this week, you’re probably as confused as I am. [That’s unlikely, Ed.]

The big news, released yesterday, is that Adobe Acrobat X is out. (Is Adobe trying to cuddle up to Apple here, do you think? As with Apple’s current Macintosh OS, the version number is written ‘X’, but pronounced ‘ten’.)

Version 10, sorry, X, includes Adobe’s much vaunted Protected Mode. The Protected Mode sandbox is not a simple thing – see these three blog articles from Adobe – and, as Adobe wryly reminds us, “the sandbox’s reliance on the operating system means that it could potentially be subject to its flaws.”

Additionally, of course, adding yet more complexity – albeit in the name of security – to already very complex, multi-million line applications may introduce yet more flaws.

Nevertheless, Adobe’s divide-and-conquer approach inside its version X is to be applauded. The abovementioned blog articles from the Adobe Secure Software Engineering Team include diagrams which show how sandboxing can greatly increase the number of sequentially successful tricks an exploit would need to perform in order to gain control.

I approve of defence-in-depth, and I am hoping to see positive results from this new protective cocoon.

The confusion in all of this is that version X isn’t really out, but merely emerging. Some parts of Adobe’s new product range can be ordered now, whilst other parts can only be pre-ordered, whatever that means.

Most importantly, Adobe Reader X isn’t out yet. But there is a brand-new update to Adobe Reader 9. This is not a routine quarterly patch from Adobe, since it deals with vulnerability APSA10-05, which the company didn’t have time to fix in its last regular security update.

As is usually the case for out-of-band patches, this one is considered critically important: attacks exploiting this vulnerability have been seen in the wild.

Added to all of this is Adobe’s understandably excitable email marketing campaign surrounding the gradual release of the Acrobat X series of products. Since the licensing of the many components is complex, and since some parts can be ordered now, whilst you can only get into a queue for others, it’s not surprising that Adobe has issued an advisory to warn everyone to be on the lookout for phishing scams using the latest Acrobat X upgrade as a hook.

Ignore emails which claim to give you earlier access to the not-yet-available products, or which ask you to sign up to be advised when Adobe’s products are out.

And ignore emails which offer you a way to access Adobe Reader X. It isn’t out yet (it’s expected by the end of the month); you don’t need to sign up for it; and when it does come out, you can just go directly to Adobe’s standard URL to fetch it:

(Note to Adobe: please remove the words you may have to temporarily disable your antivirus software from that download page. That’s risky advice, since it leaves the entire computer unprotected for the entire time of download and installation, and even longer if the user forgets to enable it again.)

Adobe’s next scheduled security update is one quarter away: Tuesday 08 February 2011. With all the many changes in version X, and given that there have already been three security updates this month, it’s reasonable to expect that neither we nor Adobe will be able to wait that long. Perhaps it’s time for Adobe to follow Microsoft into a pattern of monthly scheduled updates?

There you have it. Here’s my six-point summary:

* Adobe upgrades are for features, and updates are for security.

* The Acrobat X upgrade is out, but not all of it.

* Reader X upgrade is not out, but a critical update to Reader 9 is available now.

* Watch out for cybercrooks using the size and scale of the Version X upgrade to scam you.

* Be vigilant in case updates, even to the latest Version X upgrade, appear before next February.

* Don’t temporarily disable your anti-virus when installing new software. You may need to relax some strict behavioural features (or get your admin to do so), but disabling it altogether is a bad idea.

And if you’d like to learn more about Adobe’s new-found thrust for security, why not listen to this podcast, in which Sophos’s Chet Wisniweski interviews Brad Arkin – Senior Director of Product Security and Privacy at Adobe:

(23 August 2010, duration 24:36 minutes, size 11.8MBytes)