I never used to worry too much about keeping Adobe Reader up to date. Then a couple months ago, I got my first-ever computer virus infection, delivered courtesy of a PDF vulnerability. I decided I’d better get my computers and those of my clients updated with the latest Adobe patches.
The Easy Part: Patching to 9.1.1
I applied for a license to redistribute Adobe Reader, and (woo-hoo!) my application was accepted. I feel so special! The good thing about this is that you get links and instructions about how to create a Reader installer that excludes Adobe AIR and Acrobat.com using the Adobe Customization Wizard.
Following the example in this article, I was able to include the patch to 9.1.1 by simply adding this line to the setup.ini:
Once that was done, I had a setup package that I could run on any computer to upgrade it to Adobe Reader 9.1.1. Earlier versions were uninstalled automatically as necessary.
The Hard Part: Getting to 9.1.3
That blissful state of affairs only lasted a couple months. Now that yet another critical vulnerability is being exploited, Adobe got back on my radar last week with the release of 9.1.3. (I had missed 9.1.2, which I later learned was a quarterly patch as opposed to a security patch.)
So, time to update 9.1.1 to 9.1.3. How hard could it be?
The main problem is that, as explained in this TechNote, Adobe does not allow you to apply a quarterly patch to Reader if the most recent patch was a security patch. That’s right: if you keep your software up to date with security patches, you have to do a reinstall to get to the next quarterly patch, which is in turn the prerequisite for the next security patch.
The secondary problem is that quarterly patches apparently cannot be applied with the PATCH= line; they must be applied using MS installer patching techniques. That at least seems to be the gist of this thread. I’m indebted to TTEConline, who in post #37 of that thread sent me in the right direction for the MSI install.
These rather astonishing limitations led me to what feels like a very cobbled-together approach to patching Reader. But here is what worked this time:
- Download standard Reader 9.1 (without AIR) for Windows XP SP3 and Vista from the secret link Adobe sends you.
- Extract with this command:
AdbeRdr910_en_US.exe -nos_ne -nos_o"CustomAcroRead911"
- Downloaded Reader 9.1.2 quarterly update (includes 9.1.1 security patch) and the new 9.1.3 security patch.
- Run the following command to patch your Administrative Install Point (AIP) to 9.1.2:
msiexec /a AcroRead.msi /p AdbeRdrUpd912_all_incr.msp
When prompted, direct the output to the “PatchedTo912” subdirectory, which it will create for you. Note that this modifies AcroRead.msi to be version 9.1.2. Supposedly data1.cab is no longer needed, but I got install errors without it. However, it’s okay to delete the AdbeRdrUpd912_all_incr.msp file now.
- Customize AcroRead.msi using Adobe Customization Wizard. I chose to remove the desktop icon, remove all Acrobot.com access, create a silent install (prompt user if reboot necessary), and some other stuff. Save the project, which creates the transform file AcroRead.mst and updates setup.ini to call the transform.
- Add the following line to the setup.ini [Product] section:
Congratulations, you now have a 210MB package that will install Adobe Reader 9.1.3. But wait! That only works if the previous version was not a security patch. So it works if no Adobe Reader is present, or if 9.0.0 is present, but not if 9.1.1 is present.
Here’s what I had to do to update my 9.1.1 installations:
- In the [Product] section of setup.ini, based on the aforementioned TechNote, change the CmdLine to read
CmdLine=TRANSFORMS="AcroRead.mst" REINSTALL=ALL REINSTALLMODE=vomus /q
- Apply the patch to all 9.1.1 machines. With the forced REINSTALL, it is now able to go to 9.1.2. However, the 9.1.3 patch is not applied.
- Go back and directly apply the 9.1.3 patch as a stand-alone patch to all machines. I discovered that a Zenith job can deploy the .msp file directly using a shell execute (don’t forget the /quiet parameter), but if you need to test or run from a command line, here it is:
msiexec /p AdbeRdrUpd913_all_incr.msp /quiet
Note that if, after the update to 9.1.2, you try re-running the main install without the REINSTALL parameters, it will either fail or trigger a Repair installation, but it will not apply 9.1.3. Hence the need to patch directly.
Adobe: We Need One Installer
It’s possible that I missed something here and that there is a much easier way to do this. But judging from the Adobe forum posts, lots of people are struggling with Adobe administrative installations. It shouldn’t be this hard!
By the way, Adobe Updater is not an option in a security-conscious environment where users do not have administrative privileges.
It’s okay if one patch requires the previous patch to be installed, but it’s not okay if one patch (9.1.2) requires that the previous patch (9.1.1) not be installed to work normally. I mean, if a security patch is there, why not just automatically do whatever you need to do to apply the next patch, whether quarterly or security?
And please, allow applying multiple quarterly and security patches in one step.
In short: give us one installer that will always bring Adobe Reader to the latest version, no matter what is or isn’t installed on a machine. And don’t make it an all-day task to create the installer.
C’mon Adobe, add some intelligence to your patch mechanisms!