commentary It's time for Adobe to give up on supporting its old users and move ahead with working on the weapon it could use to stall zero-day attacks on its Reader software.
It's becoming more difficult to talk about Reader without someone chiming in about the huge number of security issues that exist with the product. Indeed, a cursory glance over the company's bulletins and advisories list for its products reveals a raft of problems. What's important to notice, though, is that Adobe isn't providing support for just Reader X, it also continues to support Reader 8 and 9.
Adobe senior director of product security and privacy, Brad Arkin, previously said the reason for this was to protect people who didn't bother updating the free product to the latest version because it still did the same thing. Even then, he suspected that people weren't patching.
This makes his reasoning circular — Adobe is patching its older products because they're vulnerable, but they're vulnerable because people don't patch them? It's nice of Adobe to maintain support for older products, but it should realise that the effort is futile.
In fact, legacy support for its old products might actually be hindering its progress in securing its software.
Adobe saw fit to include a "Protected Mode" sandbox in its latest Reader X product, but this isn't available in Reader 8 or 9. And as long as the latter two products are supported, there's less incentive to upgrade to Reader X — most will download the latest patch and consider themselves secure; that is, until the next zero-day appears.
In the most recent "critical" zero day, Adobe has stated it will release a patch for affected Reader 9 users on the week of 12 December. Arkin wrote on Adobe's security blog "We are conscious of the upcoming holidays and are working to get this patch out as soon as possible to allow time to deploy the update before users and staff begin time off".
This means Arkin and his team are having to work around the clock to push out an update for Reader 9, which users may or may not even use. It's also likely to wreak havoc upon system administrators, during the Christmas period no less, since it is an out-of-cycle patch that they most likely haven't had the time to prepare for.
What about Reader X? As it turns out, Arkin gets to put his feet up for a bit because Protected Mode actually prevents the exploit from executing. A patch for that version of Reader is scheduled for its more predictable quarterly security update on 10 January next year.
Adobe also got a break earlier this year in April, when Protected Mode made Reader X immune to a critical vulnerability, allowing Adobe to stall its update to its quarterly update as late as June.
In fact, Arkin claims that there has not been a single piece of malware that has been effective against Reader X.
That's not to say that it won't occur or that sandboxes are the magic solution to zero days — Chrome's sandbox is just one example that has been broken before — but it does mean that there will be an extra layer of security that hackers will have to break in order to achieve their objectives.
It appears that Adobe has found the fabled defence against zero-day threats — a stop-gap measure to give itself more time to produce a more permanent fix — but so long as Reader 8 and 9 are still being used, its security team are still going to have to put out the fires that they create.
Arkin appears to be acutely aware of the predicament.
"I'd like to take this moment to encourage any remaining users still running Adobe Reader or Acrobat 9.x (or worse, older unsupported versions) to please upgrade to Adobe Reader or Acrobat X," he wrote on Adobe's blog.
"Help us help you by running the latest version of the software!"
Sure, dropping support for Reader 8 and 9 will cause problems for those that still aren't running Reader X, but fighting a losing battle to keep insecure and reactively patched software alive might be an even bigger one.