March 27, 2009, 3:08 PM — Although Adobe spent much of March releasing fixes for a PDF bug that hackers have been exploiting for more than three months, users are in no hurry to patch, a security company said Friday.
Scans of several hundred thousand Windows PCs owned by clients of Qualys Inc. show that few users have bothered to update, said Wolfgang Kandek, Qualys' chief technology officer.
"There's been no movement [on the Adobe Reader vulnerability]," said Kandek, referring to the scans that Qualys does to detect if a system is vulnerable to any specific attack. Considering the nature of the vulnerability -- and the pervasiveness of the free Adobe Reader -- that's troubling, he continued. "I would rank the Adobe vulnerability at the same level as an Internet Explorer or Windows vulnerability," Kandek said. "You could even say it's higher because Reader is also on Macs and Unix machines."
Adobe acknowledged one critical vulnerability in its Reader and Acrobat applications last month, more than a week after security company Symantec Corp. reported finding attack code in use. Starting March 10, Adobe began patching the two applications, first fixing Version 9, then following that with updates to Versions 8 and 7 at one-week intervals.
Tuesday, as it released the last of the Reader and Acrobat updates, Adobe announced it had also patched five more critical bugs behind the scenes, but had waited to reveal that tidbit until it had finished fixing all versions of the software.
According to Kandek, within two weeks of the release of a fix for a critical vulnerability in Internet Explorer, about 40% of all PCs have been patched. That's not happened with the Adobe update. "It's just not going down," he said. As recently as Monday, two weeks after the delivery of Reader and Acrobat 9.1, Qualys' scans were showing fewer than 10% of PCs patched against the actively-exploited vulnerability.
What's especially disconcerting, added Kandek, is that although the vulnerability has been highly publicized, it has remained under the radar for most users. "That's common for vulnerabilities that aren't in an OS. While a bug like this will be tracked by a security professional, and by certain enterprises on the top of their game, many people, including those in small companies, may not notice it.
"They have Windows Update turned on, but that doesn't do them any good with all these other software programs they use," Kandek said. Adobe disputed Kandek's conclusion that few are patching its software. "We've seen a significant increase in download traffic through the Update Manager," said Brad Arkin, Adobe's director for product security and privacy, referring to the update utility bundled with its software.
When a user opens Reader or Acrobat, said Arkin, the Update Manager checks Adobe's servers and then either notes that an update is available, or goes ahead and downloads any available updates, depending on the options that have been chosen. "We usually see an elevated level of [download] traffic for some time after we release a patch," said Arkin, "and what we've seen so far [with this update] is consistent with that."
He did acknowledge one exception to the rule that Adobe notifies users of available updates. "We're not pushing Version 7.1.1 through the Update Manager because the vast majority who use it are in the enterprise, and they prefer to pull updates from the Adobe support page," said Arkin.
The updated editions of Reader and Acrobat can be manually downloaded from the Adobe site.
This isn't the first time that Kandek has raised a red flag over lackadaisical patching. Last December he used Qualys' scanning data to show that Windows users had not applied an emergency Microsoft fix with any special urgency.