Category Archives: Adobe

Acrobat Reader security update

Adobe logoForty-seven security vulnerabilities in Acrobat Reader — many of them flagged as Critical — prompted Adobe to release a fixed version on May 14.

Acrobat Reader comes in a few different flavours, but the one targeted at regular users is Acrobat Reader DC, which is also sometimes refererred to as Acrobat Reader DC (Continuous Track). See the post Adobe Acrobat Reader updates from 2018Feb16 for more information about Acrobat/Reader variants.

Acrobat Reader DC version 2018.011.20040 contains fixes for all forty-seven vulnerabilities documented on the associated security bulletin.

You can install the latest Reader by visiting the Get Acrobat Reader page on Adobe’s web site. Don’t forget to disable any checkboxes for installing optional software. When I installed Acrobat Reader DC 2018.011.20040 from that page earlier, there were three such options, all enabled by default:

  • Install the Acrobat Reader Chrome Extension
  • … install the free McAfee Security Scan Plus utility …
  • … install McAfee Safe Connect …

Unless you know for sure you want to use those products, it’s best to avoid them.

Patch Tuesday for May 2018

Spring has sprung, and with it, a load of updates from Microsoft and Adobe.

This month from Microsoft: sixty-seven updates, fixing sixty-nine security vulnerabilities in Windows, Internet Explorer, Office, Edge, .NET, Flash, and various development tools. Seventeen of the vulnerabilities addressed are flagged as Critical and can lead to remote code execution.

The details are as usual buried in Microsoft’s Security Update Guide. You may find it easier to examine that information in spreadsheet form, which you can obtain by clicking little Download link partway down the page on the right. Just above that there’s a link to the release notes for this month’s updates, but don’t expect much useful information there.

Update 2018May11: If you were looking for something to motivate your patching endeavours, consider this: two of the vulnerabilities addressed in this month’s updates are being actively exploited on the web.

Adobe logoAs you might have guessed from Microsoft’s Flash updates, Adobe released a new version of Flash today. Flash 29.0.0.171 addresses a single critical vulnerability in previous versions. You can find release notes for Flash 29 on the Adobe web site.

You can get Flash from Windows Update if you run a Microsoft browser, via Chrome’s internal updater, or from the official Flash download page. If you use the Flash download page, make sure to disable any optional installs, as they are generally not useful.

Patch Tuesday for April 2018

Microsoft’s contribution to our monthly headache starts with a post on the TechNet MSRC blog: April 2018 security update release. This brief page consists of the same boilerplate we get every month, and provides no details at all. We’re informed that “information about this month’s security updates can be found in the Security Update Guide” but there isn’t even a link to the SUG.

Analysis of the SUG for this month’s Microsoft updates shows that there are sixty updates, addressing sixty-eight vulnerabilities in Flash, Excel, Word, and other Office components, Internet Explorer, Edge, Windows, and Defender. Twenty-three of the vulnerabilities are flagged as Critical.

If your Windows computer is not configured for automatic updates, you’ll need to use Windows Update in the Control Panel to install them.


Adobe’s offering for this month’s patching fun is a new version of Flash Player: 29.0.0.140 (APSB18-08). Six security vulnerabilities — three flagged as Critical — are fixed in the new version.

If you’re using a web browser with Flash enabled, you should install Flash 29.0.0.140 as soon as possible. The embedded Flash used in Internet Explorer 11 and Edge on newer versions of Windows will get the new version via Windows Update. Chrome’s embedded Flash will be updated via Chrome’s automatic update system. To update the desktop version of Flash, visit the About Flash page.

Flash 29.0.0.113

Adobe logoA new version of Flash, released on March 13 by Adobe, fixes two security vulnerabilities as well as a few other bugs.

If you use a browser with Flash enabled, you should update it as soon as possible. Most browsers no longer play Flash content automatically, or at least have options to make Flash content play only when explicitly allowed. Still, it’s best to be up to date if you use Flash at all.

Internet Explorer and Edge will get their Flash updates via Windows Update, and Google Chrome will update itself on its own mysterious schedule. You can force the issue by visiting the main Flash download page, or the About Flash page, which will prompt you to update if you’re not running the latest version. Don’t forget to disable installation of any additional software, including McAfee security products.

You can find more details in the release announcement, release notes, and the associated security bulletin.

Adobe Acrobat Reader updates

Adobe logoFirst, a few words about nomenclature…

Acrobat Reader is the name of Adobe’s free PDF viewer software. It was formerly referred to as Adobe Reader, but its full official name is now Adobe Acrobat Reader. It’s basically a stripped-down version of Acrobat, Adobe’s commercial PDF authoring tool, with most of Acrobat’s authoring capabilities removed. Acrobat Reader is free software, while Acrobat is not. If you need to author new PDF files, you need Acrobat. If you merely wish to view existing PDF files, all you need is Acrobat Reader, although Acrobat also does that.

At one point, there was only one version of Acrobat and one corresponding version of Reader. Sadly, those simpler days ended in 2015 when Adobe introduced ‘Document Cloud’ (DC) variations: Acrobat DC and Acrobat Reader DC. These new variants include cloud storage capabilities, making PDF viewing and editing more convenient for folks who work on multiple computers and platforms.

Confusing things further was a new split in the Acrobat/Reader catalog, between Continuous and Classic release tracks. They differ mainly in release priorities and update schedules. Classic variants are updated quarterly, and occasionally at other times; updates are limited to bug and security fixes. Continuous variants are updated more frequently, and besides bug and security fixes, updates include new features and enhancements.

On October 15, 2017, Adobe stopped producing the original Acrobat/Reader software in favour of the new Acrobat/Reader DC. The old software’s last version was 11.0.23. Adobe now officially recommends the DC variants over anything else. This should have simplified things, and it did, to some extent.

Adobe is also still making desktop-only versions of Acrobat and Acrobat Reader, which they refer to as Acrobat 2017 and Acrobat Reader 2017.

There’s more headache-inducing details on the Document Cloud Product Tracks page on the Adobe web site.

Which one?

Okay, so which version of Acrobat Reader do I install if I just want to view PDF files? For regular folks, it’s easiest to just stick with what Adobe wants you to use, which in most cases is Acrobat Reader DC (Continuous). The desktop-only version and the DC Classic versions exist mostly for IT staff who have very specific reasons for not wanting to run DC Continuous. For them, it comes down to a choice between having access to the latest features, and being somewhat less likely to encounter problems. For example, if ‘stable and secure’ is the goal, Acrobat Reader DC Classic Track is the right choice.

February 2018 updates

With that out of the way, let’s talk about the new versions of Acrobat Reader that were released earlier this week.

A February 13 security bulletin from Adobe lists forty-one vulnerabilities, affecting earlier versions of all Acrobat Reader variants, including Acrobat Reader DC (Continuous Track) 2018.009.20050, Acrobat Reader 2017 2017.011.30070, and Acrobat Reader DC (Classic Track) 2015.006.30394.

New Acrobat Reader versions addressing those vulnerabilities are:

Acrobat Reader DC (Continuous Track) 2018.011.20035
Acrobat Reader DC (Classic Track) 2015.006.30413
Acrobat Reader 2017 2017.011.30078

There are additional details on the main release notes page for Acrobat and Acrobat Reader.

You can install Acrobat Reader by visiting the official download page at get.adobe.com/reader. That page will offer the version it thinks is best suited to your device, which for my Windows 8.1 PC is Acrobat Reader DC (Continuous Track) version 2018.011.20035. That’s also the version Adobe wants us all to use.

If you want a variant other than the one offered in the Download Center, you’ll have to navigate Adobe’s labyrinthine FTP site.

To install Acrobat Reader 2017 for Windows, go to the Acrobat2017 folder on the Adobe FTP site. Click the topmost folder, then click the installer EXE file in that folder to download it. Once installed, Acrobat Reader 2017 will keep itself updated, and you can check for any pending updates by selecting Help > Check for updates on its menu.

To install Acrobat Reader DC Classic for Windows, go to the Acrobat2015 folder on the Adobe FTP site. Click the topmost folder, then click the installer EXE file in that folder to download it. Once installed, Acrobat Reader DC Classic will keep itself updated, and you can check for any pending updates by selecting Help > Check for updates on its menu.

Flash 28.0.0.161 fixes two critical vulnerabilities

Adobe logoAs expected, Adobe has released a new version of Flash that addresses CVE-2018-4878 and another critical vulnerability, CVE-2018-4877. A new security bulletin (APSB18-03) provides additional details.

The new version was made available on February 6. The release notes show that at least one other bug was fixed in Flash 28.0.0.161.

Anyone still using a web browser with Flash enabled should make sure that it’s up to date. CVE-2018-4877 is already being actively exploited.

As usual, Chrome will update itself automatically, and Internet Explorer and Edge will get the new Flash via Windows Update.

New Flash vulnerability already being exploited

Adobe logoOn February 1, Adobe published a security advisory about a critical vulnerability (CVE-2018-4878) in Flash Player 28.0.0.137 and earlier versions. Successful exploitation could allow an attacker to take control of an affected system.

An exploit for CVE-2018-4878 already exists, and is being used in targeted attacks against Windows users. So far, attacks based on this vulnerability have been delivered via Office documents with malicious Flash content as email attachments.

Adobe plans to address this vulnerability next week. Meanwhile, use extreme caution when deciding whether to open email attachments, especially if they appear to be Office documents.

Flash is gradually disappearing from use, but it’s still used enough to make it a tempting target for malicious hackers.

Duo Security: No Patch Yet: Flash Vulnerability Exploited in the Wild

Flash 28.0.0.126

Adobe logoAdobe released a new version of Flash to coincide with yesterday’s Microsoft updates. Flash 28.0.0.126 fixes a few minor issues and one security vulnerability.

As usual, Chrome will update itself with the latest Flash, and Microsoft browsers will receive updates via Windows Update.

If you still use Flash, and in particular if you use a web browser that is configured to play Flash content, you should install the new version as soon as possible. Better still, stop using Flash altogether. Flash is being phased out in some browsers, including Firefox. Many web sites that formerly used Flash have switched to HTML5.

November updates for Adobe products

Adobe logoYesterday, Adobe announced updates for several of its main products, including Flash, Acrobat Reader, and Shockwave.

Flash 27.0.0.187 addresses five critical vulnerabilities in earlier versions. You can download the new desktop version from the main Flash download page. That page usually offers to install additional software, which you should avoid. Chrome will as usual update itself with the new version, and both Internet Explorer and Edge will get their own updates via Windows Update.

Acrobat Reader 11.0.23 includes fixes for a whopping sixty-two vulnerabilities, all flagged as critical, in earlier versions. Download the full installer from the Acrobat Reader Download Center.

Shockwave Player 12.3.1.201 addresses a single critical security issue in earlier versions. Download the new version from the Adobe Shockwave Player Download Center.

If you use Flash, Reader or Shockwave to view content from untrusted sources, or if you use a web browser with add-ons enabled for any of these technologies, you should update affected systems immediately.