Adobe Reader patch, now you see it, now you don't

This story starts out like so many others, but then takes a twist.

On Monday, Adobe released a patch that fixed a critical bug in their Adobe Acrobat Reader program. This was reported at CNET by Robert Vamosi, at ZDNet by Ryan Naraine, at the Washington Post by Brian Krebs and elsewhere. When I ran the Adobe Reader on a couple machines, I was duly reminded by a yellow tooltip window that a bug fix was available. On each machine the patch installed just fine. Ho hum.

The twist came about when I went to verify that the patch had been installed. I had started with the latest version of the Adobe Reader, 8.1.2. After installing the patch, I still had version 8.1.2.

You would be excused at this point if you thought this posting was about how or why the patch hadn't been correctly installed. But no, it had installed fine. Pretty surprising behavior, especially since the Adobe Reader may be the most widely installed software on the planet.

So, how can you tell if you have the buggy or the patched version of version 8.1.2?

Of course, if you're online, you can always check for updates. But, update applications are far from foolproof. Just today, Adobe's updater warned me that it couldn't check for updates to itself.

Windows

Security firm Secunia issued an advisory about this bug on the June 24. Yet, four days later, its usually excellent online scanner incorrectly flags a patched instance of version 8.1.2 as being version 8.1.0.137. I verified this on Windows XP and 2000.

For Windows XP, an answer came from someone calling themselves "zube" who made a comment at WashingtonPost.com. Go to the "Add or Remove Programs" applet in the Control Panel. At the top, turn on the checkbox to "Show updates" and Windows XP reports the installation of this latest bug fix.

As for Windows Vista, I installed a new copy of the Acrobat Reader today. A check for updates said it was the latest and greatest. But, the "Programs and Features" applet in the Control Panel did not indicate that it included this latest patch.

On a Windows 2000 machine with version 7 of the Adobe Reader, I uninstalled the old version and downloaded version 8.1.2 from Adobe.com. Even though this latest critical patch was released four days ago, Adobe is still offering up the buggy version of version 8.1.2 for download (as of June 27, 7 p.m. PDT). After installing the just-downloaded software, a check for updates showed that it was missing this latest bug fix. After installing the patch, the Add/Remove programs applet in the Control Panel verified that it had been installed.

Update: After this posting was originally written, Adobe pointed me to the Release notes for Adobe Reader and Acrobat 8.1.2 SU1 security update, which details two other ways to verify that you are using a patched instance of version 8.1.2. From the Adobe Reader, click on Help -> "About Adobe Plug-Ins..." -> Comments. The displayed date (see below) should be 6/7/2008. There is also another method that involves querying the registry.

Macintosh

On a Macintosh, Adobe advises clicking Reader -> Adobe Plug-Ins -> Comments. Just as with Windows, they say the API should be dated 6/7/2008. The Release Notes for the patch also describe some files that Mac users can look for. The presence of the files indicates a patched instance of the software.

Linux

The Security Bulletin for this patch doesn't say anything about Linux.

Ubuntu 8.04 does not include the Adobe Reader, instead Evince is used to read PDF files. I installed Acrobat 8.1.2 on Ubuntu after downloading it today from Adobe.com. The Help->About showed that the software was from January 15, 2008. I'm no expert on the four different package managers that come pre-installed with Ubuntu, but it didn't seem there was a more recent update to the Reader. Whether the software is vulnerable, only Adobe knows.

Update: According to Adobe, the software is vulnerable on Linux, an update is "in process" and it's expected to be released in July. When the fix is available, Adobe will update the Security Bulletin (link above).

Foxit

Many people argue that the Foxit PDF Reader is a better choice for viewing PDF files. There is a version for Windows, Linux, U3 and more (but no Mac version). Whatever the prior arguments were, now there is a new one. Adobe should not make patching into a guessing game.

Update June 27, 2008: Added Windows 2000
Update June 27, 2008: Added Secunia
Update June 28, 2008: Expanded Secunia and Linux topics
Update June 28, 2008: Included information from Adobe
Update June 29, 2008: Updated Foxit topic

Some information from the Release Notes for this patch also appears on an Adobe blog by Steve Gottwals How Can I Tell if I've got Reader 8.1.2 or 8.1.2 Security Update 1 Installed?

See a summary of all my Defensive Computing postings.

[BassaBabe]

On all my program installations(220+) sans the windows never-ending fixes - that latest fix from Adobe is the only program listed like that, bizarre..