The Mudcat Café TM
Thread #149563   Message #3479830
Posted By: JohnInKansas
14-Feb-13 - 09:47 PM
Thread Name: Tech: Adobe Problems with Flash and Reader
Subject: Tech: Adobe Problems with Flash and Reader
A new (14 February 2013) bulletin reports a "critical flaw" in Adobe Acrobat and Reader. The report gives some "instructions" for things people can do to "reduce the likelihood of infection," but no real patch is available as yet.

A separate report was that Adobe released a "critical" patch for Adobe Flash, Thursday 08 February, that "must be installed by all users immediately."

When Macromedia created and owned "Flash" it had an exceedingly poor reputation for lots of vulnerabilities and extremely long times after new flaws were reported before they were (half-heartedly?) patched, and the reputation has persisted, and may have worsened, since Adobe bought Flash. The latest Flash update report was so vague that I can't tell if it patches a new vulnerability or one of the several that have been known for nearly a year without a patch.

Adobe Reader (and probably Acrobat) patches have been a little more current, although slower than might be expected; and several that have been released have later been reported as "not fixes" for the vulnerabilities for which they were intended.

Fortunately, the use of Flash appears to be decreasing, with HTML6 and XML replacing it in some applications. The extent of the improvement is a little tenuous since NO HTML6 STANDARD is expected to exist for at least another year, and "experimental features" are still a little iffy. I've found XML details a little of a puzzle, but it seems to be a viable option - even if it is a Microsoft invention. The jury is still out on both but expectations are exhuberant for both.

A couple of days ago I visited the Adobe downloads site, but was unable to identify the Flash update there. Since seeing the latest report, I haven't bothered checking what Adobe says about it (although I expect nothing).

I have received a few Adobe Reader updates, all of which include a "more information" button to click, but a click there just takes you to a site that lists every patch Adobe has ever released with no simple way of identifying which one is the one they want to download NOW. This is the same site I was sent to when trying to identify the Flash patch, and couldn't.

Bitch over (for now).


The Flash Patch is reported at Adobe issues critical Flash fix for Windows, Mac and Android users

The Acrobat/Reader patch report can be viewed at Sinister Adobe Acrobat, Reader malware threatens Web browsers

A factor that makes the Reader patch somewhat more important is that most browsers use an add-in from Adobe to allow the browser to display pdf files. The plugin is apparently affected by the vulnerability, so you may need it even if you don't use Acrobat or Reader for other purposes.

(The report says that Linux users can use Google's Chrome browser that uses its own pdf reader (not by Adobe) but doesn't indicate the same difference for Chrome under Windows or Mac.)

"Adobe is working on a patch, but in the meantime the company advises Windows users to upgrade to Adobe Acrobat/Reader 11 and turning on a feature called "Protected View."

"To enable this setting, choose the 'Files from potentially unsafe locations' option under the Edit > Preferences > Security (Enhanced) menu," said an Adobe security advisory updated Wednesday night."

(The last time I looked, Reader 11 only worked in Win8, but that may have changed ... ???)

It's sad to see a once great company go down the tube. Would someone care to push the little handle for me?