Ask the Expert

Adobe Acrobat Reader security: Can patches be avoided?

Brian Krebs recently highlighted on his blog that Fiserv, a Fortune 500 banking transaction company, suggested that its customers should not apply the most recent security updates to Adobe Acrobat Reader. In light of the application's recent security flaws, would you say this is sound advice? What is the best way to avoid Adobe's security issues?

    Requires Free Membership to View

    Login

Given the wide deployment of Adobe Reader (formerly Acrobat Reader), it's not surprising that hackers are targeting this software. Therefore, I find it disappointing that Fiserv -- a well-known provider of bank transaction-processing services and software -- would urge its customers not to apply the latest Adobe Reader patches. The advice was posted in February in the "collaborative care" portion of Fiserv's website, a section dedicated to security and IT managers at partner financial institutions. Fiserv instructed its customers to avoid the latest Adobe Reader updates, as the company found potential compatibility issues with some of its Adobe-based products. They even suggested that customers who had upgraded past version 8.1 should try uninstalling and reverting to a lower version.

This is a classic case of putting functionality before security. If a bank building had been badly damaged by a truck running into it, you'd temporarily close it until it was fixed. Nobody would dream of advising customers to keep using that particular branch until the building had been checked and made safe. So why tell customers to continue using an application that's not secure while it's being fixed? For some reason we treat IT systems and software differently, happily allowing customers to carry on using them even when they're known to be insecure. I imagine that Fiserv's software uses some Adobe-related components -- for example, a component to display a PDF document -- and the application hasn't been upgraded to work with newer versions of Adobe Reader.

My big problem with this advisory is that Fiserv has no knowledge or control over how its customers use Adobe Reader for other tasks. This wasn't an advisory solely for internal staff whose surfing and use of Adobe could be more tightly controlled. Given the spate of recent zero-day vulnerabilities in Adobe products (see sidebar), their advice could easily have left customers exposed to flaws that are actively being exploited. It also undoes all the work that has gone into making people understand the importance of keeping their software up to date. Any application providers or companies who urge users to continue using outdated and insecure software because upgrading may break functionality in custom software are doing the industry a disservice.

The best way to avoid Adobe's security issues is to keep your system and software up to date with the latest patches and don't open any attachments from unknown sources. Also make sure your antivirus software provides some form of URL filtering to alert you should you inadvertently head to a known malicious site, as this is a common method used to install malware.

For more information: According to a report issued last month by ScanSafe, 80% of the Web-based attacks from malicious and hacked websites targeted Adobe Reader vulnerabilities in the last three months of 2009. Security firm F-Secure also noted that Adobe Reader vulnerabilities are by far the most popular for use in targeted email attacks.

This was first published in March 2010

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top