Vulnerabilities in Adobe Reader are often pursued as part of both targeted and mass-scale exploitation campaigns. Fortunately, version X of Adobe Reader, released in the fall of 2010, significantly improves the product’s ability to withstand such attacks by incorporating a Protected Mode sandbox. From a security perspective, it makes sense to deploy Reader X right away; yet, I expect it will be years before enterprises manage to upgrade from the older versions of the product.
The majority of enterprise environments appear to be running vulnerable versions of Adobe Reader. Zscaler highlighted the dire situation in their State of the Web report:
"Adobe reader is installed in 83% of all enterprise browsers, and is out of date in 56% of those installations. It’s no surprise then that the increasingly popular Blackhole Exploit kit includes a variety of payloads designed to target recent Adobe Reader vulnerabilities."
For a historical perspective on the vulnerabilities and exploits related to Adobe Reader, take a look at Malware Tracker’s PDF Current Threats. The good news is that Reader X’s sandbox is designed to mitigate the majority of the risks associated with these vulnerabilities. Then why won’t enterprises roll out Reader X any time soon across a large scale? Three reasons:
- Not many organizations have the skills, processes and tools to handle a large-scale upgrade of non-Microsoft products such as Adobe Reader. This is too bad, because Group Policy capabilities of Active Directory make this very achievable even without purchasing commercial Enterprise Management System products.
- End-users see no reason to upgrade from the features and capabilities perspective. After all, older versions of the PDF viewer works just fine, making the status quo a preferred state from the perspective of people using Adobe Reader.
- Web browsers are starting to include native PDF-viewing capabilities, obviating the need for Adobe Reader for many users. Google Chrome already has such capabilities for a while. Firefox is likely to get a built-in PDF viewer soon.
For these reasons, many enterprises are unlikely to have an incentive to roll out Adobe Reader X soon. Why bother with the headache and the risk of the deployment causing problems if the users don’t care about getting the new version? That’s too bad, because the faster Reader X displaces older versions of the product, the safer we will all be online.
- Remotely Find Outdated Adobe Reader With HBGary AcroScrub
- Mitigating Attacks on the Web Browser and Add-Ons
- What Are Exploit Kits?
References: Thanks to Mila Parkour for a pointer to Malware Tracker’s PDF Current Threats page. Thanks to Dancho Danchev for mentioning Zscaler’s State of the Web report.