Fiserv to Banks: Keep Outdated Adobe Reader

Krebs On Security is reporting that one of the US’ largest money-transfer providers and online banking services to credit unions and other financial institutions is urging customers not to apply the latest security updates for Adobe Reader.  At issue is a non-public advisory issued by Fiserv.

A reader who works in security for a mid-sized credit union shared a notice posted prominently to a section of Fiserv’s site dedicated to security and IT managers at partner financial institutions. 

“NOTICE: Please do not upgrade Adobe Acrobat Reader past Version 8.1.   The following is of importance to all credit unions.

Until further notice, please do not upgrade Adobe Reader past version 8.1. We have recently found that there are potential compatibility issues with some of our Adobe-based products. If you have already upgraded past this version you can try uninstalling to a lower version. This may or may not be successful. For instructions on uninstalling, please visit

We will provide you with further information when it is available.”

Assuming that they really meant to say “Don’t migrate your systems past the latest 8.1.7 version (released in October 2009) that would still leave financial institutions exposed to the Reader flaw that criminals are actively exploiting to install data-stealing software via spam and hacked or malicious Web sites.

Krebs On Security

Fiserv Response:

We researched the client advisory mentioned in your posting. We appreciate your attention to this matter, as the advisory did not effectively explain our advice, nor was it the right approach to the underlying issue of Adobe compatibility.

The advisory was not directed or available to all of our clients, but rather to clients of a single solution within one individual product line. The advisory had been viewed by fewer than three dozen individuals at the time it was removed. We are working hard to resolve the Adobe compatibility issue, and to improve the rigor of our content management on the client collaboration site where the advisory was posted

– Alan Ulman, Fiserv Corporate Communications