No application better typifies the ubiquity of ‘part-time software' than Acrobat Reader. Everyone uses it at some point, but very few use it every day. And that's where the danger starts.
It's suffered a consistent flow of vulnerabilities in recent times, not all of which have been quickly patched, but that's not the half of it. Reliable statistics tell us that a hardcore of Acrobat Reader installs either don't get patched quickly or never get patched at all, which gives malware a reliable target on large numbers of PCs more or less all the time.
Users might be lazy updaters but that's not why Acrobat stays unpatched. In the world of the part-time app, it's an inevitable part of the way this unusual type of app works.
Check out your own PC, perhaps the one that is in the back room and not turned on every day. Chances are, if you fire up Acrobat, that it has version 8.0 of the Reader, probably because that machine has not actually opened a PDF for as long as a year. Now that the software has started it will at some point realise it has to update itself, and here's what it will have to do to get to the current version of Reader, version 9.1.3, on Windows.
So take a seat.
1. Incremental update number one. Five minute download and install to get to version 8.1.3.
2. Incremental update number two, an 18.1MB download to get to version 8.1.4. Another ten minutes.
3. A further 1.6MB download to get to 8.1.5.
4. A 9.1MB update to get to version 8.16.
5. I'll stop here.
And so the process goes on and on and on. It's like being trapped in a little Acrobat 8 universe from which there is no easy escape. The only way to shorten the process is to go the Adobe site and download Acrobat 9.0 (which still needs two further updates beyond that), but that is not the default and only informed users who know such a version exists would do such a thing.
The problem is that the Acrobat updater (and other apps like it) was designed for a world where everyone has updating turned on and uses the program often enough to patch as they go, and in which security vulnerabilities are probably not a major concern. This is an unrealistic model of how users interact with PCs, and as far as security goes, obsolete. My understanding is that Adobe knows this.
One not very good answer is for Adobe to create a memory-resident dedicated updater (see Java) that can make intelligent decisions about new versions, but who wants yet another piece of crapware using up memory? It's likely that antivirus programs will probably take on more of these duties in the mould of Secunia's excellent (and free) Software Inspector program, but only a minority of users considers these as must-have programs.
A better way forward is for Windows to take on the demands of updating applications as they install, but this would take a new means for such software to interact with the OS and such a thing does not yet exist. Only then will part-time software no longer mean full-time risk.