F-Secure says stop using Adobe Acrobat Reader

With all the Internet attacks that exploit Adobe Acrobat Reader people should switch to using an alternative PDF reader, a security expert said at the RSA security conference on Tuesday.

Of the targeted attacks so far this year, more than 47 percent of them exploit holes in Acrobat Reader while six vulnerabilities have been discovered that target the program, Mikko Hypponen, chief research officer of security firm F-Secure, said in a briefing with journalists.

Just last month, Adobe issued a fix for an Acrobat Reader hole that attackers had been exploiting for months, after issuing a patch for a critical vulnerability in Flash player the month before.

In 2008, the favored targeted attack vector was Microsoft Word, which had 15 known vulnerabilities (compared to Acrobat Reader's 19) and which represented 34.5 percent of the attacks (compared to 28.6 percent for Acrobat Reader), he said.

Top-level executives, defense contractors, and other people who have access to specific sensitive corporate or government information are subject to targeted attacks where an attacker sends a file that has malicious code embedded in it. Once the file is opened, the computer is infected typically with a back door that then steals data.

PDF and Flash browser plug-ins are also used in attacks known as "drive-by downloads" in which malware is surreptitiously downloaded onto a computer while the user is surfing the Web. The number of PDF files used in attacks rose from 128 between January 1 and April 16 last year to more than 2,300 in that same time period during this year, said Hypponen.

Adobe should make security a priority, he said.

Adobe "has a lot to learn from, of all places, Microsoft," which offers regular security patches on a monthly basis as part of Patch Tuesday, Hypponen said.

Part of the problem is people don't expect that Acrobat Reader upgrades necessarily contain important security patches like they do with Microsoft software, he said.

Hypponen did not recommend a PDF reader, but said Acrobat Reader alternatives are listed on the PDFReaders.org Web site.

[jag0]

...as if the fact that it is bloated and slow isn't reason enough ;-)

[TinyIoda]

get with the times.. 9 is a fantastic version of the software.. (minus the apparent security flaws)

[jag0]

Um...I have used it and I will continue to use faster and non-memory hog apps such as Foxit Reader.

[Angmarr]

Seriously for a Personal Use standpoint there is NO reason why one shouldn't SWITCH to FOXIT!!!

It also offers free - though in evaluation mode - editing capabilities, and is like 1/20 th the size on the disk. Adobe is really useless!!!!

[lkrupp]

I'm sure Adobe is shaking in its boots now that this security expert has made this recommendation. NOT!

[n3td3v]

"Security expert"

How many times have I heard that one.

[bootsified]

So... The attacks rose from 2305 to over 2300, huh... WOW! That's shocking!

[SW_A]

Thanks for passing this warning along; I'll act on it today. That said, the following sentence needs a copy editor's attention:

"The number of PDF files used in attacks rose from 2305 between January 1 and April 16 last year to more than 2,300 in that same time period during this year, said Hypponen."

[elinormills]

Fixing. Thanks!

[Orion Blastar]

But what about DRM? Most PDF DRM features only use Adobe Acrobat reader and don't work with Foxit reader.

I have a ton of eBooks from College that are DRM protected, they won't work with other PDF readers unless there is a way to remove the DRM from those files. But doing so would violate my license for those files.

[gertruded]

Restrictive DRM License? What License? We don't need no Steeeeeeenking license.

You purchased them, you have fair use.

Don't let regulations bought by campaign contributions by gangster corporations rule your life.

[Dalkorian]

I'm with gertruded here. Cracking DRM to distribute these files on P2P networks is one thing, but cracking the DRM to fairly use the product you paid good money for is another. Screw the license - your security is worth more than the paranoia of a stuffed suit!

[jumpjetta]

I just use the Mac's native PDF-displaying capability, manifested in Preview, for most things. Seems to handle even encrypted PDFs and PDFx1a.

[ikramerica--2008]

Preview is a good enough viewer, though lacks some features. QuickLook works fine, too. The Adobe Reader plug-in for browsers is better though. Looking for a third party Safari plug-in that works as well. Any ideas?

[hafenbrack]

Anyone who uses Vista, and the upcoming Windows 7, has the same "preview" capability built in as well.

[Dalkorian]

Good comment Hafenbrack, any suggestions for ex-pee sufferers?

[itworker--2008]

If they could only PATCH their software instead of these huge bloated updates!!

Have critical patches seperate from so called feature updates

[mikeburek]

Anyone have any experience with these listed on PDFReaders.org? I use FoxIt Reader and like it, but is there anything I'm missing?

Windows: MuPDF, Okular, Sumatra PDF, Yap
Mac: Okular, Skim
Free OS (I guess linux): Evince, KPDF, Okular, Xpdf, Yap

[fdunn3]

Adobe is a lot safer than say FireFox so where is F-Secures advisory not to use FF?
FireFox has had at least one major "run code" vulnerability every month (sometimes 2) for the last year.

As far as alternate PDF readers they suffer the same issues as Adobe.

Foxit has always followed Adobe with vulnerability reports almost identical in nature and criticality.

Don't believe me:
http://secunia.com/advisories/product/20648/?task=advisories_2009

As far as FireFox it had the highest number of browser code (not plug-ins) vulnerabilities than even Internet Explorer. Although IE has the highest number of ActiveX (Plug-in) issues, but those can be disabled whe the vulnerability is published.

You can disable the vulnerabilities in FireFox by uninstalling it!
Although I will say this for Mozilla, when they learn of an issue they fix far faster than MS.
None the less FireFox has to be upgraded due to security issues in the application code at least once a month.

Secunia has called it the most dangerous browser to use.

[Dalkorian]

I could try to guess what you think a "safe browser" is, but I'm to busy trying not to throw up. I get that way when I see street walkers cruising the boulevard.

[Cheech_Wizard]

"Adobe is a lot safer than say FireFox so where is F-Secures advisory not to use FF?
FireFox has had at least one major "run code" vulnerability every month (sometimes 2) for the last year."

Are you really that ignorant, or are you astroturfing? The "vulnerabilities" in Firefox were found and repaired before any lost time or lost data security incidents could happen. Firefox automatically checks for security updates once a day. Compare this to the tens of millions of dollars worth of actual damage caused by Adobe's irresponsible use of "active scripting features" in a document reader.

Officially speaking, Microsoft Internet Explorer is "safer" than Firefox, because it has many fewer reported security vulnerabilities. Officially if you work for Microsoft that is. Internet Explorer's fundamentally insecure design does hundreds of millions of dollars in actual damage to Microsoft users' machines annually, while Firefox has still not cost any user one dollar in reported lost data or work time.

[c|net Reader]

Firefox is updated quite regularly, unlike Adobe Reader. Thus, Mozilla is doing a good job of making their browser secure. For those using Windows' Automatic Updates, the fixes to IE are less obvious, but still occur. The questions to ask are how many vulnerabilities exist now, how long does it take to fix new vulnerabilities, and what functionality do you get for the risk?

I love Firefox. Recent versions of IE include tabbed browsing and may even be better than native Firefox tabs, but with Firefox, I can add various extensions which give me features not included in the base browser but that make it fit my usage just right. With IE, you get what you get and it isn't enough. For me, the benefits of Firefox, together with the rapid pace of fixing vulnerabilities, makes it a great choice. (By running NoScript in Firefox, I'm protected from most problems that Firefox alone would be vulnerable to, besides.)

[dragonbite]

I'll stick with Evince, kPDF or Okular.

[shannonkrause9123]

Isn't it just "Adobe Reader" and not "Adobe Acrobat Reader"? I think Adobe dropped the "Acrobat" from the reader name several years ago.

[krosafcheg]

As an IT administrator, I am caught between a rock and a hard place. I don't rush to install updates anymore, because they are too-often used to push "partner" crapware.

Adobe Reader 9 includes hidden installations (RED FLAG, violation of user trust) for Adobe AIR (which is insecure in itself) and Adobe.com. The last Java update was defaulted to install the stupid MSN toolbar! If I let such programs update themselves, these companies effectively bypass IT control of our machines and network.

Such companies should have their butts sued off. They're forcing me to accept whatever self-serving software they see fit to push on us, or manually update my whole network (and often uninstall the crapware that was included).

This is supposed to encourage frequent updating? Hardly!