Glaswegian

It looks like Adobe's advice is falling on deaf ears. The company has spent much of March releasing fixes for a PDF bug that hackers have been exploiting for more than three months, but it seems that users are in no hurry to patch.

Scans of several hundred thousand Windows PCs owned by clients of Qualys show that few users have bothered to update, said Wolfgang Kandek, Qualys' chief technology officer.

"There's been no movement [on the Adobe Reader vulnerability]," said Kandek, referring to the scans that Qualys does to detect if a system is vulnerable to any specific attack. Considering the nature of the vulnerability - and the pervasiveness of the free Adobe Reader - that's troubling, he continued. "I would rank the Adobe vulnerability at the same level as an Internet Explorer or Windows vulnerability," Kandek said. "You could even say it's higher because Reader is also on Macs and Unix machines."

Adobe acknowledged one critical vulnerability in its Reader and Acrobat applications last month, more than a week after security company Symantec reported finding attack code in use. Starting 10 March0, Adobe began patching the two applications, first fixing Version 9, then following that with updates to Versions 8 and 7 at one-week intervals.

Last week as it released the last of the Reader and Acrobat updates, Adobe announced it had also patched five more critical bugs behind the scenes, but had waited to reveal that tidbit until it had finished fixing all versions of the software.

According to Kandek, within two weeks of the release of a fix for a critical vulnerability in Internet Explorer, about 40 percent of all PCs have been patched. That's not happened with the Adobe update. "It's just not going down," he said. Two weeks after the delivery of Reader and Acrobat 9.1, Qualys' scans were showing fewer than 10 percent of PCs patched against the actively-exploited vulnerability.


http://www.techworld.com/security/ne...&NewsID=113496