Adobe’s Serial Security Patching: The Big Picture

When it comes to IT assets, data and information security are top-of-mind for business leaders and IT professionals alike—and for good reason.

In our connected world the risks of data breaches, malware, and compromises of identity are very real. Vulnerabilities in the integrity of software and SaaS solutions continue to be exploited, leading to attacks of varying scale on organizations of all sizes.

Many vendors address vulnerabilities by releasing security patches, which must be applied by users and/or administrators of the at-risk program. But while it’s helpful to have these fixes available, the exposure of such vulnerabilities in the first place can be frustrating—especially if new problems consistently arise in the same applications.

Adobe’s Reader and Acrobat are prime examples of such programs that require constant security maintenance.

Patches galore

In October’s Patch Tuesday report, Adobe identified a whopping 71 critical vulnerabilities and released corresponding fixes for Acrobat and Reader versions XI and later. Adobe releases patches for their products on a monthly basis, so you can imagine how many must be regularly applied to maintain security for supported versions. But what about customers running older versions of Acrobat and Reader?

Simply put, they’re S.O.L. Adobe ended core support for earlier versions in November 2015, meaning unsupported users are vulnerable to remote code execution and security bypassing without the benefit of any of the security patches the company has released.

End-of-Life

Of course, End-of-Life for Adobe’s software shouldn’t come as a surprise to any customers running on affected versions. The company communicates such changes well in advance—for example, the end of core support for Acrobat XI has already been scheduled for a full year from now.

“It is always recommended to remove End-of-Life programs from your PC as they are no longer maintained and supported by the vendor and do not receive security updates. They must therefore be treated as insecure,” says Kasper Lingaard, Director of Security at Flexera Software. “If you identify and remove End-of-Life programs you have made your PC a great deal more secure.”

Sounds simple enough—just identify the unsupported versions, upgrade to the newest version of the software, and uninstall all unsupported versions across the organization. Right?

If you’ve ever found yourself in this category, you know it’s not so easy. Contract negotiations, compliance reviews, version audits, manual installs/uninstalls, upgrade costs—as a busy IT pro, these hoops could easily make just sticking with what you’ve got look pretty attractive. (Until something goes wrong, that is!)

A Proven Replacement

If security is a priority in your organization, you’ll benefit by checking out other options for PDF software—because, let’s face it, the Adobe Acrobat and Reader security patches won’t be diminishing any time soon.

Here’s a quick checklist of security considerations to keep in mind as you start looking at replacement solutions:

Who owns the IP, and who writes the code?
How quickly can security patches be issued?
What is the security track record?
How are updates managed?
What document security features does the application provide?

Not coincidentally, Nitro has all of these bases covered.

Our proprietary IP means that, in the rare case that a security issue should arise (we say rare because Nitro has only had to release a single security fix over the past five years!), we can attack it with speed. Fixes can be delivered through our silent updates, so IT doesn’t need to waste time tracking down different versions and applying the right security patches manually. And with document security features like RMS 2.0, digital certificates, redaction, and document permissions, users have the tools to protect their important files, too.

It really comes down to offering a secure solution that’s a breeze for IT to manage and simple for users to adopt. To learn more about Nitro’s approach to security, visit our site.