I keep reading all over the web that Adobe has released a patch, but I have yet to find a link to download this mythical patch.

Anyone?

Sometimes, this Adobe Reader Support [adobe.com] page helps, or the updates page. [adobe.com]

[edited by: engine at 7:07 pm (utc) on Jan. 11, 2007]

Adobe >> Downloads >> Updates

The cited article describes an upgrade for older versions of Adobe 7.x.

Adobe recommends Reader users upgrade to Reader 8, the most recent major version, to fix the problem. Those whose computer systems are not compatible, or who do not want to move to version 8 can install Tuesday's 7.0.9 version instead.

The normal "Get Adobe Reader" download page can be used by current Windows OS users to upgrade to Adobe Reader 8.0.0

In both cases, this is an upgrade requiring a full install, not an update.

It appears that support for older Windows versions is not available at this time, since Adobe Reader 7.0.9 states that Win XP, Win2k SP4, Win2003 Server, WinNT SP6 or SP6a, or Win XP Tablet PC is required.

Adobe Reader 8.0.0 supports only Win XP Pro, Home Edition, or Tablet PC Edition (all with SP2), Win2000 with SP4, Win2003 Server, or Windows Vista -- Note no support for WinNT.

It seems that legacy Win98/98SE/ME users are left without a solution at this time.

Jim

It seems that legacy Win98/98SE/ME users are left without a solution at this time

To be fair, users of Win98/98SE/Me have much, much bigger problems than this particular vulnerability. Those Windows versions are now unsupported by Microsoft and contain multiple unpatched vulnerabilities in IE itself. Tough to blame Adobe when MS doesn't provide patches either. :)

Yeah, I know. Both MS and Adobe are wrong to assume that most of the world --and particularly the parts of the world where few users have anti-malware software installed-- will ever upgrade their OSes. MS, Adobe, and the others should consider security support for legacy OS versions as self-protection, and not just as a drain on their resources.

IMHO,
Jim

In addition, I have an old copy of Adobe Acrobat Standard 6.0 running on my workstation. Not the Reader, but the Standard version. If you are running an old version of Adobe Acrobat Standard/Professional/3D and don't have an updated Reader, download the latest reader.

If you don't, by default your Standard product is going to open the file and I'm certain the Reader rendering engine included in that product is going to be outdated and vulnerable.

I just installed Reader 8.0 and it is running on my workstation just fine along with the old Standard 6.0.

>> Sometimes, this Adobe Reader Support page helps, or the updates page.

In this case it doesn't appear to.

I can find no way to secure earlier versions of the full version of Acrobat (not the reader) which, from what I can work out, also appear to be affected.

Adobe's solution seems to be to pay for an upgrade to the latest version.

That's what I just explained, but obviously not very well. Let me try again ...

I have the full version of Acrobat (not the reader). I have never downloaded the reader because the full version will open pdfs for me. Now, in order to fix the issue in my full version I would have to upgrade my product. However, I do not have to do that. I can download and install the latest reader and now by default pdfs will be opened with the new program.

I can still use my old full version by accessing it through the program menu when I need to edit pdf documents or otherwise.

Hi Cooper

I did understand your post. I suppose my thoughts are that this is a workaround, rather than a fix. But I do get your point.

I also would rather not have to have both the reader and the Pro version running at the same time. It's just one more pain in the neck to deal with.

Oh yes, I agree with you 100%. It is both a pain and indeed a workaround. Ultimately I should uninstall both products and upgrade to a more recent version of a PDF management utility, Adobe product or otherwise. And I think that is what you are saying too. Neither one of us wants to though so I went with the *cheap* workaround for now ;)

Oh yes. Cheapskate's my middle name. ;-)

Although, I get the impression that the major problem with this issue is the PDF browser plugin, rather than the standalone product. I'm sure I'm missing some of the points here, but there is a certain amount of vagueness in most of the reports I've read.

Sounds like you and I are looking at this from the very same angle. I spent a good hour on Adobe's site yesterday trying to figure out what I need to do since I didn't have the Reader on my machine. Yet I'm quite certain the very same engine that is in the Reader resides in the full Acrobat product versions. So, with that level of doubt and possible vulnerability I set out to discover what I must do to keep myself from exposure. Yeah.

I'm not saying my solution is ideal, quite the contrary. I'm just saying that is what I did for now. I'm keeping a close eye on this thread!

Indeed.

I'm also trying to work out if this is just a Windows issue, or whether it affects Mac users also. Adobe's update page says "This product addresses several security issues including a cross-site scripting (XSS) vulnerability on Windows." Yet it offers a link to download the Mac version also.

Once again, this only refers to the Reader. And the Secuna alert suggested that it was the plugin which affected certain versions of two windows browsers. OK. So far so good(ish).

But Secuna also said there were issues with the full versions of Acrobat, which may or may not affect the standalone package, or pehaps it is just the plugin that comes with those packages?

And I have just read a story on iTwire that says that Apple's 'Preview' application also suffers from this (or a similar ) issue.

OK. This is my final post on the subject, as I clearly have far too many questions and no coherent answers. ;)