MacInTouch Amazon link...
Channels
Security, News
For those of us who use Preview for casual viewing of PDFs, is there word on its safety regarding the same/similar vulnerabilities?
I don't have information on specific vulnerabilities in Preview*, but as older versions of macOS are unsupported with security updates, I would not use Preview to open PDFs of unknown origin on any unsupported OS - so, currently, that's macOS 10.12 or earlier.

Apple maintains a security updates list. Once a Preview PDF vulnerability is listed here, it won't be fixed in any unsupported OS – i.e., currently, macOS 10.12 or earlier.
 


if you run the Updater (Help > Check for Updates…) it reports "Adobe Acrobat is already up to date" - no, it's not, it's out of date and insecure!
Adobe has never shown respect to its customers. Last night, I was checking my daughter's laptop for a slowdown, and began reading a pdf file. There were gray bars and white bars showing up. Checked updates, and it responded with 'up to date'. Then I looked at the app: Reader 8, from 2013.
 


Adobe has never shown respect to its customers. Last night, I was checking my daughter's laptop for a slowdown, and began reading a pdf file. There were gray bars and white bars showing up. Checked updates, and it responded with 'up to date'. Then I looked at the app: Reader 8, from 2013.
I've seen the same thing. Adobe's automatic updates for Acrobat Reader install the latest patch level for the version you're running, but they don't upgrade you to the new version, even when it is free. At least that's been my experience.

So if you're running Adobe Acrobat Reader 8, you'll have the latest patches for 8, but it won't upgrade you to 9, X, XI or DC (which is what's current).
 


So if you're running Adobe Acrobat Reader 8, you'll have the latest patches for 8, but it won't upgrade you to 9, X, XI or DC (which is what's current).
Acrobat 2015, 2017 and 2019 (DC) are current. All now require macOS 10.12 or later to install/stay up to date.

Acrobat 2015 stops being current/supported on 7th April 2020.

Acrobat 2017 stops being current/supported on 6th June 2022.
 


Just a timely reminder/for your information, as the latest Acrobat security update issued earlier this week apparently includes a fix for

You can be secure and up to date with any of the following:

Adobe Reader 2015 v1500630523​
Adobe Acrobat Pro 2015 v1500630523​
Adobe Reader 2017 v1701130171​
Adobe Acrobat Pro 2017 v1701130171​
Adobe Reader DC/2020 v2000920063​
Adobe Acrobat Pro DC/2020 v2000920063​

It is very important to note that you can only apply the latest security patches as long as you are running macOS 10.12 or later. If you're running an earlier OS, you are out of luck, and so, based on this vulnerability, it would be wise to either upgrade your OS or remove Acrobat altogether.

You can update your Adobe software by going to Help menu > Check for updates

Or you can download the updater manually via:

Adobe Reader:

Acrobat Pro:
 



As one who doesn't really need Acrobat Reader and has eliminated it, I am a bit curious as to how these vulnerabilities might play out in Apple's Preview app. Is there some sort of immunity for the Mac app?

Considering the constant, chronic, never-ending vulnerabilities with the Adobe product, isn't, perhaps, a new paradigm in order at the company? Is anyone really minding the store, so to speak?
 


As one who doesn't really need Acrobat Reader and has eliminated it, I am a bit curious as to how these vulnerabilities might play out in Apple's Preview app. Is there some sort of immunity for the Mac app?
I'm fairly certain the vulnerabilities are with the Adobe Reader app itself, rather than with any underlying technologies shared by other PDF readers, including Preview. If you've uninstalled Adobe Reader, you should be fine. Has anyone heard otherwise?
 


As one who doesn't really need Acrobat Reader and has eliminated it, I am a bit curious as to how these vulnerabilities might play out in Apple's Preview app. Is there some sort of immunity for the Mac app?
These vulnerabilities are in the Adobe products, but everyone should be aware that Portable Document Format (PDF) is insecure by design. You may think that PDF is just a container for PostScript (which is a dangerous assumption in itself, since PostScript is really a Turing complete language similar to Forth), but PDFs can contain:
  • JavaScript!
  • Launch actions, which can launch any command or program on the operating system, with any parameters
  • Embedded files, which can include scripts
  • GoToE actions which can open embedded files automatically, without user notification
  • Embedded Flash applications!
  • Access to data in database
  • Actions to play embedded sound and video files
It's like Adobe thought, how can we take Flash and make it even more dangerous?

For more information, see the start of Julia Wolf's aptly named 2010 presentation, OMG WTF PDF. The video is here.

Also there's this compilation of PDF security resources, last updated in 2017:
Weaponized PDF - Payload Delivery Format.
 


I'm fairly certain the vulnerabilities are with the Adobe Reader app itself, rather than with any underlying technologies shared by other PDF readers, including Preview. If you've uninstalled Adobe Reader, you should be fine. Has anyone heard otherwise?
There have been occasions where Preview or some PDF process has received a security patch that can be seen in the details linked on Apple Security Updates, but not nearly as often as the Adobe Reader app updates occur.
 


Wasn't there a problem with Adobe apps falsely claiming no updates were needed when critical updates actually were pending? (I don't recall the details.)
Yes. If you are running OS X 10.11 or earlier, Acrobat applications will report there are no updates needed when in fact there may be, The latest security updates just won't install on those older OSes - there is no warning that this is the case, though.

And here is the ultimate case in point - this root-level escalation security hole - and anyone running OS X 10.11 or earlier with Acrobat Pro or Reader will not know they are insecure and wide open!
 


I'm fairly certain the vulnerabilities are with the Adobe Reader app itself, rather than with any underlying technologies shared by other PDF readers, including Preview. If you've uninstalled Adobe Reader, you should be fine. Has anyone heard otherwise?
A while back, when all this issue of installing Adobe Acrobat security updates came up, and I posted here, I looked through the recent history of macOS security updates and could not find any direct relations to Apple Preview PDF, but that doesn't mean there [aren't] potential security holes.

There are, however, security issues for image processing, and Apple Preview does that, too. So, you should only be running/using Apple Preview if you are running a supported macOS and the latest security update, which currently is:
  • macOS 10.15 Catalina: macOS 10.15.4 Update
  • macOS 10.14 Mojave: macOS 10.14.6 Update + Security Update 2020-002
  • macOS 10.13 High Sierra: macOS 10.13.6 Update + Security Update 2020-002
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts