Serving insecure software

By Thomas Kristensen

We've received numerous support requests from Secunia PSI users who were puzzled about a warning from the PSI about a freshly downloaded Adobe Reader being insecure.

After looking at this we can conclude that once again Adobe serves an insecure version of Adobe Reader from its website, since we don't like to repeat ourselves you can literally read our blog from 21st July 2009 and replace version 9.1.0 and 9.1.1 with 9.3.0 and 9.3.1:

This does not seem to be aligned with this quote from Brad Arkin, Director of product security and privacy at Adobe, January 12 2010: "We know that getting people updated and keeping them updated is the number-one thing we can do in terms of keeping them protected against attacks"

According to this article in Techworld, 80% of all attacks exploiting vulnerabilities in Q4 2009 exploited vulnerabilities in Adobe Reader. While this number sounds a bit too high in my ears, it is certainly indicating that criminals have a new favorite target.
http://news.techworld.com/security/3212863/adobe-patches-pdf-vulnerabilities/

Serving vulnerable versions is not going to improve these sad statistics.

Stay secure,

Thomas