October 11, 2009 4:06 PM
The danger of the 'part-time' application
by John Dunn
No application better typifies the ubiquity of ‘part-time software'
than Acrobat Reader. Everyone uses it at some point, but very few use
it every day. And that's where the danger starts.
It's suffered a consistent flow of vulnerabilities in recent times, not all of which have been quickly patched, but that's not the half of it. Reliable statistics tell us that a hardcore of Acrobat Reader installs either don't get patched quickly or never get patched at all, which gives malware a reliable target on large numbers of PCs more or less all the time.
Users
might be lazy updaters but that's not why Acrobat stays unpatched. In
the world of the part-time app, it's an inevitable part of the way this
unusual type of app works.
Check out your own PC, perhaps the
one that is in the back room and not turned on every day. Chances are,
if you fire up Acrobat, that it has version 8.0 of the Reader, probably
because that machine has not actually opened a PDF for as long as a
year. Now that the software has started it will at some point realise
it has to update itself, and here's what it will have to do to get to
the current version of Reader, version 9.1.3, on Windows.
So take a seat.
1. Incremental update number one. Five minute download and install to get to version 8.1.3.
2. Incremental update number two, an 18.1MB download to get to version 8.1.4. Another ten minutes.
3. A further 1.6MB download to get to 8.1.5.
4. A 9.1MB update to get to version 8.16.
5. I'll stop here.
And
so the process goes on and on and on. It's like being trapped in a
little Acrobat 8 universe from which there is no easy escape. The only
way to shorten the process is to go the Adobe site and download Acrobat
9.0 (which still needs two further updates beyond that), but that is
not the default and only informed users who know such a version exists
would do such a thing.
The problem is that the Acrobat
updater (and other apps like it) was designed for a world where everyone has updating turned on
and uses the program often enough to patch as they go, and in which
security vulnerabilities are probably not a major concern. This is an
unrealistic model of how users interact with PCs, and as far as
security goes, obsolete. My understanding is that Adobe knows this.
One not
very good answer is for Adobe to create a memory-resident dedicated
updater (see Java) that can make intelligent decisions about new
versions, but who wants yet another piece of crapware using up memory?
It's likely that antivirus programs will probably take on more of these
duties in the mould of Secunia's excellent (and free) Software
Inspector program, but only a minority of users considers these as
must-have programs.
A better way forward is for Windows to
take on the demands of updating applications as they install, but this
would take a new means for such software to interact with the OS and
such a thing does not yet exist. Only then will part-time software no
longer mean full-time risk.
Email
Print
Comment
Contact Us
Subscribe to this blog
You must be logged in to post a comment.