4 Replies Latest reply on Jul 10, 2008 10:26 PM by (Ed_PWNY)

    Secunia Software Inspector Reporting Adobe Reader 8.1.2 Security Update 1 Missing

      After deploying Adobe Reader 8.1.2 Security Update 1 to all of our managed computers, I ran a vulnerability scan using Secunia Software Inspector (http://secunia.com/software_inspector) and it is reporting that Adobe Reader is insecure (it is version and references Secunia advisory SA30832 (http://secunia.com/SA30832). Specifically it reports that C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe is version, which it is. However, running Adobe Reader and selecting Help \ About Adobe Reader 8... from the menu reports that Adobe Reader is version 8.1.2. And selecting Help \ Check for Updates... from the menu reports "There are no updates available at this time." Shavlik NetChk also does not report Adobe Reader 8.1.2 Security Update 1 as missing.

      The security bulleting from Adobe (http://www.adobe.com/support/security/bulletins/apsb08-15.html) does not contain sufficient information to know if the security update has been correctly applied (there is no manifest of files with versions and dates to check).

      It appears to me that the file C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe is not sufficient to determine the version of the installed Adobe Reader, that the update to Adobe Reader 8.1.2 does not update the version of this file, and that Adobe Security Update 1 does not update this file. Therefore, I suspect that Secunia Software Inspector is incorrectly reporting that Adobe Reader is vulnerable. However, without details from Adobe about what file are updated and what versions they should be, I cannot be sure.

      How can I be sure that Adobe Reader is not vulnerable (it is fully up-to-date)?