Updated 3/9/10 @ 3 PM: Fiserv has posted a response via the comments, and has also contacted Brian Krebs via email with the same information.
It's good to see Fiserv trying to get out in front of this, but it's troubling that a major player would make such a recommendation in the first place.
In a perfect world, large providers of money transfers and online banking services would want their customers to be as secure as possible.
So why is Fiserv telling their credit union and financial institution customers not to update their Adobe Reader installs beyond Reader 8.1?
It seems that security updates for Reader are causing functionality issues for Fiserv, to the point that they want customers to remain on a version that's two years old.
I can't even begin to count the number of serious vulnerabilities that have been reported - and are being actively exploited - on versions through the current 9.3. Staying on the current 8.1x version is both reckless and an invitation to compromise.
Brian Krebs has a detailed write-up on his Krebs on Security blog.
Fiserv has researched the client advisory that was cited yesterday by the Krebs on Security blog.
ReplyDeleteEarlier today we updated Mr. Krebs with additional facts and context regarding that advisory, which he has posted.
This update included the clarification that the advisory was not directed or available to all Fiserv clients, but rather to clients of a single solution within one individual product line.
The advisory had been viewed by fewer than three dozen individuals at the time it was removed.
We agree that this client advisory regarding an isolated software compatibility issue was not the appropriate way to address this issue, and are currently working on a technical resolution.
- Alan Ulman, Fiserv Corporate Communications
Gecko readers appreciate your taking the time to respond on behalf of Fiserv, Alan. I've posted your comment in full.
ReplyDelete