Saturday, July 05, 2008

Secunia may misreport Adobe Reader Version 8 patch-levels

I’m a big fan of The Secunia Software Inspector.

It quickly performs a in-depth scan of your Windows systems looking for vulnerable versions of common software.

The other day I was working on updating the base installation packages for five of our desktop system configurations; mostly just Windows patches and other application updates. From there I take an image of them which is distributed to our field technicians to use for quick system re-deployments.

As one of the final stages of this process, I run a scan of the Secunia Software Inspector to make sure I haven’t missed something.  This is usually where I find a Java runtime version needs updating or maybe there is a newer version of Flash.

This time I found SSI reported that my Adobe Reader was at a vulnerable version.  Secunia was reporting that I was at version and needed to update to


Hmmm.  I thought I had already went and patched it already.

So I went back and checked again.


Nope. Adobe says there are no updates and it is at 8.1.2.

So at first I thought I had a corrupted installation, so I completely uninstalled Adobe Reader then (at that time) downloaded the latest version offered (version 8) and reinstalled it.

Same result.


I then checked the program properties for the main exe file AcroRd32.  Sure enough. It was indeed showing what Secunia reported;


Based on that version information, that I thought that maybe the security settings of this file somehow were preventing it from getting update. However a check showed that it was not locked at a “read-only” state.

I also found this was the case on all the other four systems I was trying to update as well.

(I also went through this same process on my own home XP and Vista it could be one that home users are likely to frustratingly encounter as well.)

What’s up?

Turns out the problem is one with both Adobe and Secunia.

Adobe’s security update/patches in this latest case did not update the file and version numbering of the main Adobe Reader executable file.  Instead it patches some additional components in the application to bring it up to the version 8.1.2 level, leaving the main file at the lower version number.

While I am not sure exactly how and what Secunia is checking when it looks for updates, it is clearly looking at the main file version in this case.  Thus causing the mis-reporting of a fully patched version of Adobe Reader 8 as at an insecure level needing updating.

Apparently I’m not the only poor sap who wasted a bunch of time working this issue out.

So chill out. If you have to continue using Adobe Reader version 8, just open it up and run the internal updater. If Adobe wraps that up and no more updates are available, then you are sufficiently patched. Don't waste your time with reinstalls of the main application again.  You should be good to go.


Curiously, the localized version of Secunia Software Inspector - Personal (PSI) RC3 - correctly reports Adobe Reader as being at and at a sufficient patch state.

And yes. I know. Adobe's version numbering is a fit.  Check out all the screenshots. Hard to tell exactly what version you are running isn't it?


In our shop, we have to stick with version 8.x for now.  The better solution would be to ditch it and just go and upgrade to the just released this past week Adobe Reader 9 and be done with the issue.

Course, if it were up to me...I would just use Foxit Software's Foxit Reader (free) and be done with the lot.

Finally, more GSD gushing on Secunia's otherwise very fine and free system vulnerability scanners:

In the end I was satisfied that the Adobe 8 versions I had were sufficiently patched, I Sysprep'ed my systems and sealed them up. I finally captured the images using Microsoft's ImageX software and copied the WIM files to the portable USB drives we issue out.

Sheesh.  Too much drama.


1 comment:

Anonymous said...

This version issue also appears to be a problem with the popular VLC player. Secunia reports a version 0.8.6i file as 0.8.6h. So far Secunia has been unwilling to admit it, unlike with Adobe.