Friday, September 4, 2015

Adobe Reader DC Update - Network Security Importance


Today, people in MOI put quite a lot of effect on updating Adobe Reader DC to the latest version. And, in this post, I would like to discuss the importance of updating software like this from security viewpoint, as well as the methods we can apply to update softwares for a bunch of computers efficiently.

Adobe Reader DC Update - Introduction

To discuss the importance of the update, we first have to find out what's new in the latest update (take 15.008.20082 planned update as example here). Then, we look into the security part (ignore the new features, bugs, etc), and take version 2015.007.20033 as affected version where we can get a list of CVE numbers.

Adobe listed out all the security issues (Common Vulnerabilities and Exposures, CVE) that affects to certain version of their Reader DC software, which look like: CVE-2014-0566, CVE-2014-8450, CVE-2015-3095, CVE-2015-4435, CVE-2015-4438, CVE-2015-4441, CVE-2015-4443, ... etc.

Each CVS indicates one security problem. For example, CVE-2014-0566 causes memory corruption vulnerabilities that could lead to code execution, CVE-2014-8450 causes security bypass vulnerabilities that could lead to information disclosure, etc. Any of these CVSs may be a huge security issue that may cause hackers to execute programs without permission.

Adobe Reader DC Update - Methods

For sure, the most basic solution is to check "Check for Updates" in Adobe Reader. However, here I would like to discuss the methods applied by IT administrators which applies updates onto multiple computers in the same time. (Although I am not familiar with Windows enough, I am discussion the things in Windows environment since that's the environment I am facing recently.)

Method 1 - AIP-GPO

AIP-GPO stands for Administrative Install Point deployed via Group Policy Objects. So, it should be divided into two parts for discussion.

AIP is a special directory created by extracting the contents of a self-contained MSI-file into a previously empty directory with the command 'msiexec /a' (applies the administrative installation option). For msp patch files, you have to run 'msiexec /p' later on to attach onto the just-applied msi file.

GPO are used to distribute settings to windows PCs that are members of a domain from a windows server. After the initial setups for GPO, you can simply select the AIP folder and apply the change. Users under a GPO policy will now get the latest update after the group policy refreshes and a computer restart.

* Without a real hands-on operation of AIP-GPO, I am not sure how does GPO find AIP folders, and how good is this solution.

Method 2 - Bootstrapper

Any setup.exe or any other executable that installs updates and launches the MSI installer is a Bootstrapper. Under Adobe's document, we can learn the following benefits of using Bootstrapper:
  • Detects whether the required Windows Installer (MSI) is available and installs it if it isn’t.
  • Detects whether the product is already installed and only proceeds if it does not exist on the target machine.
  • Provides binary installations where the entire installer is supplied and run by each machine.
  • Provides a simple way to chain updates in the required order by simply adding the msp to the installer folder and modifying Setup.ini to apply that patch.
  • It is not subject to the patch constraint that limits an AIP from installing a quarterly update over a out of cycle patch. Thus, installs can always have the latest update without starting over.
So, for our purpose, we can simply add the msp file to the installer folder and modify Setup.ini to apply the latest Adobe Reader update.

* Without having enough information, I am not sure how this solution applies to multiple machines in the same time. So far, I assume bootstrapper should be a way to install/manage updates via command line; therefore, I think, to distribute the updates onto multiple machines, we have to distribute the msp file first, then run setup.exe on each machine remotely.

Method 3 - SCUP/SCCM

"System Center Updates Publisher (SCUP) is a stand-alone tool that is used in conjunction with Microsoft’s System Center Configuration Manager (CM hereafter) to allow administrators to more accurately and efficiently install and update software. Together, CM and SCUP are Microsoft’s latest change and configuration management solution that replaces older methodologies such as SMS and GPO. Unlike those technologies, CM provides features such as metering, asset intelligence, and improved remote client administration. For example, CM users can easily determine what products versions are installed including all dot and double dot patches without having to write a complicated query." -

Simply to say, SCUP/SCCM is a newer solution came up after the previous two solutions. SCUP is a catelog file, CM is the way to publish/manage the updates. However, since it's a newer solution, it only works on 10.x and later Adobe products.


From the documentation and the software updates, we can learn that Adobe is caring about the security issue nicely. They publish patches to deal with known CVE problems, and offer several methods help IT administrator or individuals to update. However, without knowing the real challenge that MOI has, it's quite funny that we were doing the updates manually by visiting every user on seat.