Patching Adobe Reader

I never used to worry too much about keeping Adobe Reader up to date. Then a couple months ago, I got my first-ever computer virus infection, delivered courtesy of a PDF vulnerability. I decided I’d better get my computers and those of my clients updated with the latest Adobe patches.

The Easy Part:  Patching to 9.1.1

I applied for a license to redistribute Adobe Reader, and (woo-hoo!) my application was accepted. I feel so special! The good thing about this is that you get links and instructions about how to create a Reader installer that excludes Adobe AIR and Acrobat.com using the Adobe Customization Wizard.

Following the example in this article, I was able to include the patch to 9.1.1 by simply adding this line to the setup.ini:

PATCH=AdbeRdrUpd911_all_incr.msp

Once that was done, I had a setup package that I could run on any computer to upgrade it to Adobe Reader 9.1.1. Earlier versions were uninstalled automatically as necessary.

The Hard Part:  Getting to 9.1.3

That blissful state of affairs only lasted a couple months. Now that yet another critical vulnerability is being exploited, Adobe got back on my radar last week with the release of 9.1.3. (I had missed 9.1.2, which I later learned was a quarterly patch as opposed to a security patch.)

So, time to update 9.1.1 to 9.1.3. How hard could it be?

Plenty hard.

The main problem is that, as explained in this TechNote, Adobe does not allow you to apply a quarterly patch to Reader if the most recent patch was a security patch. That’s right:  if you keep your software up to date with security patches, you have to do a reinstall to get to the next quarterly patch, which is in turn the prerequisite for the next security patch.

The secondary problem is that quarterly patches apparently cannot be applied with the PATCH= line; they must be applied using MS installer  patching techniques. That at least seems to be the gist of this thread. I’m indebted to TTEConline, who in post #37 of that thread sent me in the right direction for the MSI install.

These rather astonishing limitations led me to what feels like a very cobbled-together approach to patching Reader. But here is what worked this time:

  1. Download standard Reader 9.1 (without AIR) for Windows XP SP3 and Vista from the secret link Adobe sends you.
  2. Extract with this command:
    AdbeRdr910_en_US.exe -nos_ne -nos_o"CustomAcroRead911"

  3. Downloaded Reader 9.1.2 quarterly update (includes 9.1.1 security patch) and the new 9.1.3 security patch.
  4. Run the following command to patch your Administrative Install Point (AIP) to 9.1.2:
    msiexec /a AcroRead.msi /p AdbeRdrUpd912_all_incr.msp
    When prompted, direct the output to the “PatchedTo912” subdirectory, which it will create for you. Note that this modifies AcroRead.msi to be version 9.1.2.  Supposedly data1.cab is no longer needed, but I got install errors without it.  However, it’s okay to delete the AdbeRdrUpd912_all_incr.msp file now.

  5. Customize AcroRead.msi using Adobe Customization Wizard. I chose to remove the desktop icon, remove all Acrobot.com access, create a silent install (prompt user if reboot necessary), and some other stuff. Save the project, which creates the transform file AcroRead.mst and updates setup.ini to call the transform.
  6. Add the following line to the setup.ini [Product] section:
    PATCH=AdbeRdrUpd913_all_incr.msp

Two-Step Deployment

Congratulations, you now have a 210MB package that will install Adobe Reader 9.1.3. But wait! That only works if the previous version was not a security patch. So it works if no Adobe Reader is present, or if 9.0.0 is present, but not if 9.1.1 is present.

Here’s what I had to do to update my 9.1.1 installations:

  1. In the [Product] section of setup.ini, based on the aforementioned TechNote, change the CmdLine to read
    CmdLine=TRANSFORMS="AcroRead.mst" REINSTALL=ALL REINSTALLMODE=vomus /q

  2. Apply the patch to all 9.1.1 machines. With the forced REINSTALL, it is now able to go to 9.1.2. However, the 9.1.3 patch is not applied.
  3. Go back and directly apply the 9.1.3 patch as a stand-alone patch to all machines. I discovered that a Zenith job can deploy the .msp file directly using a shell execute (don’t forget the /quiet parameter), but if you need to test or run from a command line, here it is:
    msiexec /p AdbeRdrUpd913_all_incr.msp /quiet

Note that if, after the update to 9.1.2, you try re-running the main install without the REINSTALL parameters, it will either fail or trigger a Repair installation, but it will not apply 9.1.3. Hence the need to patch directly.

Adobe:  We Need One Installer

It’s possible that I missed something here and that there is a much easier way to do this. But judging from the Adobe forum posts, lots of people are struggling with Adobe administrative installations. It shouldn’t be this hard!

By the way, Adobe Updater is not an option in a security-conscious environment where users do not have administrative privileges.

It’s okay if one patch requires the previous patch to be installed, but it’s not okay if one patch (9.1.2) requires that the previous patch (9.1.1) not be installed to work normally. I mean, if a security patch is there, why not just automatically do whatever you need to do to apply the next patch, whether quarterly or security?

And please, allow applying multiple quarterly and security patches in one step.

In short:  give us one installer that will always bring Adobe Reader to the latest version, no matter what is or isn’t installed on a machine. And don’t make it an all-day task to create the installer.

C’mon Adobe, add some intelligence to your patch mechanisms!

2 thoughts on “Patching Adobe Reader

  1. Ryan

    Will this install right on top of 9.0.0? The “PatchedTo912” subdirectory is that needed for deployment or only when you update 9.1.0 to 9.1.2? I have got it to work one other way but it installs in the event viewer it says installed succesfully but it you open adobe reader and go to help it says 9.0.0 still…..

    Thanks for your great blog…..

  2. Mark Berry

    Ryan, this was almost a month ago so the details are no longer in my head, but regarding the PatchedTo912 version, I did write, “So it works if no Adobe Reader is present, or if 9.0.0 is present, but not if 9.1.1 is present.” So yes, I think you’d be able to upgrade 9.0.0 and yes, you’ll need the PatchedTo912 folder. Good luck – I feel your pain!

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.