Secunia: Adobe still serves vulnerable version of Adobe Reader
From Secunia blog:
There has recently existed some confusion amongst the users of the Secunia PSI as they are puzzled as to why the latest downloaded Adobe Reader version from Adobe.com is reported as insecure by Secunia PSI.
Is it a false positive? Due to the detection method (looking at the actual files available on the hard-drive of a PC) used in the Secunia PSI false positives are very unlikely.
A mistake in the Secunia PSI? Perhaps, but we are happy to learn that the Secunia PSI is correct, but surprised to discover that Adobe ships insecure software to their users!
Vulnerabilities and Timeline
On 1st of May 2009, version 9.1.1 of Adobe Reader was announced and according to Adobe fixed at least one critical vulnerability. However, despite this announcement Adobe continued to serve version 9.1.0 on Adobe.com.
In the meantime, on 10th of June, another 9 critical vulnerabilities (SA34580) were fixed by Adobe in their very popular PDF viewer.
Yet, as of today, Adobe still serves version 9.1.0 on their official download location at Adobe.com, leaving the user with the task of understanding that their PC has been rendered vulnerable to attacks (from opening an innocent looking PDF attachment to surf-by-attacks when browsing websites).
More in http://secunia.com/blog/58/
Quite true. Earlier this month, I downloaded their installer... hoping to get v9.1.2 but what I can find is v9.1.0 only which means... have to patch. If it's on a CD, I would understand why a person will be installing insecure version but the installer of Adobe Reader is served online. Adobe and other vendors serving online installer with new update/patch should be able to serve new installer that is not vulnerable or has fixes.