Slashdot Log In
F-Secure Suggests Ditching Adobe Reader For Free PDF Viewers
Posted by
timothy
on Wed Apr 22, 2009 05:42 PM
from the jane-the-sex-was-good-but-I've-had-enough-circus dept.
from the jane-the-sex-was-good-but-I've-had-enough-circus dept.
hweimer writes "Yesterday at RSA security conference, F-Secure's chief research officer recommended dropping Adobe Reader for viewing PDF files because of the huge amount of targeted attacks against it. Instead, he pointed to PDFreaders.org, a website maintaining a list of free and open source PDF viewers."
Related Stories
[+]
IT: Adobe Confirms PDF Zero-Day, Says Kill JavaScript 211 comments
CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Already there (Score:5, Informative)
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Re:Already there (Score:5, Insightful)
Foxit has a couple of problems with some forms-based PDFs my work gave me, but on the other hand, it lets me save form field values in pdfs where acrobat won't.
It's great; I got sick of the bloat ware and "run all the time! in the background! always show up with checks for prompts for updates every time I open my browser!" that adobe has turned into.
now if foxit only made a flash player
Parent
Re:Already there (Score:5, Insightful)
Actually, the article specifically suggests that Adobe needs to improve its automatic update system, not remove it.
Foxit is getting pretty widely used, and it will be especially vulnerable if it lacks a mechanism to update itself automatically.
Convenience != good architecture.
I'm not sure who are more dangerous, those that don't update because they don't know what updates are, or those that don't update because they're too paranoid about corporations whose software they already use to allow that software to be patched against demonstrated security issues.
That said, Adobe is bloated. It just has nothing to do with running all the time in the background and prompting for updates, but just with generally shitty programming. Anything used for a significant portion of web traffic needs to have a mechanism to automatically retrieve updates, especially if the user is to lazy make sure that their system is up to date and secure.
Parent
Re:Already there (Score:5, Funny)
I'm not sure who are more dangerous, those that don't update because they don't know what updates are, or those that don't update because they're too paranoid about corporations whose software they already use to allow that software to be patched against demonstrated security issues.
What about those of us who don't update because we're too lazy?
Parent
Re:Already there (Score:5, Insightful)
What about those of us who don't update because we're too lazy?
Then there's those of us who don't update because we've been burnt by updates breaking things way too many times in the past.
Parent
Re: (Score:3, Interesting)
Funny I know, but it's not far off â" Acrobat only bugs me about updating when I'm about to try doing something else. 'I know you said you wanted to see this PDF, but wouldn't you be happier waiting 10 minutes for a software update instead?'
Acrobat needs some method of downloading updates in the background and then just asking you if you want to apply them (yes/no) when you start it, but applying them later, when you're done.
Then again, most apps need to do things like that.
Re:Already there (Score:5, Insightful)
Parent
Re:Already there (Score:5, Funny)
What about those of us who don't update because we're too lazy?
You might be lazy, but your computer isn't; it's been sending out spam 24/7 for a while now.
Parent
Re:Already there (Score:5, Informative)
Parent
Broken ones are JetForm/LiveCycle based (Score:4, Informative)
Foxit does not yet support JetForm/LiveCycle based PDFs. Neither does OSX's Preview.
I wish people would stop using LiveCycle to produce PDFs, from what I can tell the format is not documented in the PDF ISO specification. Additionally, the newer format does not seem to provide any features that were not previously available in PDF. One can only speculate that it was done out of laziness or to thwart competition after they opened the format.
Parent
Re:Already there (Score:4, Informative)
And what I find quite important: it renders text quite well. At least I don't see a big difference between how Foxit renders text vs. Acrobat. But, as I was saying in another post, Sumatra does a very bad job - so much so, that I feel slightly nauseated when reading documents with Sumatra.
Parent
Re:Already there (Score:5, Informative)
Parent
Re:Already there (Score:5, Interesting)
Parent
Re:Already there (Score:4, Informative)
Until Foxit Reader (at least the Windows version, no experience with other versions) can support Unicode, it will never replace Adobe Reader.
Parent
Re:Already there (Score:5, Insightful)
Foxit Reader is proprietary, no more inspectable or modifiable than Adobe's PDF reader and therefore no more trustworthy than any other proprietary software. No proprietary software is not a good solution to the problems faced with Adobe's proprietary PDF Reader. You are merely jumping from one proprietor to another.
A reasonable recommendation is a FLOSS PDF reader such as Sumatra, Skim, or one of the other fine PDF readers recommended by PDFReaders.org [pdfreaders.org].
Parent
Re:Already there (Score:4, Informative)
Free as in beer, not as in speech. The article lists a number of alternatives with varying degrees of maturity and practical utility...
For example, I'm not going to install KDE on Windows just to read PDFs, and if I'm going to recommend an alternative PDF reader to one of my Average Joe friends, customers or relatives I'm not going to have them download one without an installer [gnustep.it] or from a website whose name has nothing to do with the product [ccxvii.net] (MuPDF) that looks like it was designed circa 1997. Appearance is everything, you know, which is something that I think has greatly contributed to Firefox's success: both the product and the website look smooth, classy and refined.
Parent
Not Much Cross-Platform (Score:5, Informative)
It's interesting that of the 8 alternatives mentioned, only Okular is listed as being available across the board on Windows, Mac OS X, and (as they put it), "Free Operating Systems." (Linux, BSD, etc.) Even so, it involves installing KDE on top of Windows or Mac OS X, but at least it can be done.
The only two-platform reader, Yap, appears to be based on GNUStep, and I don't actually see a Windows download on the web page.
Re:Not Much Cross-Platform (Score:5, Insightful)
I've been using Evince on Linux for years now. No dramas. Runs about 10 times faster than the Adobe Reader as well.
Does whether a particular reader is cross-platform really matter? Most people only seem to use the zoom in/out, scroll up/down and preview pane functions anyway. Not a lot to figure out on a different system...
Parent
Re:Not Much Cross-Platform (Score:5, Insightful)
The websites are the horror from a windows end-user point of view.
Okular: no download, build descriptions? ...
MuPDF: A parser description?
Yap: That screenshot
Sumatra PDF: Looks good.
Parent
Re: (Score:3, Informative)
I tried Sumatra (newest version) and while it's installed size is small, compared to the features it offers, it's bloated (ok, it's not bloated if you compare to Adobe, but it is compared to Foxit). But that's not the real problem with Sumatra: the gravest issue is the rendering: I thought I'll get a headache reading text rendered by Sumatra. It was very unpleasant at any zoom level.
The Gimp is Cross-Platform (Score:4, Informative)
Parent
Re:Not Much Cross-Platform (Score:5, Informative)
Doesn't Apple have their own non-adobe pdf reader built into OS X?
Yes, Preview can read PDFs (among many other formats) well enough that I didn't even install Adobe Reader when I bought a new MacBook a few months ago. Admittedly I'm not sure how well it handles forms, but it has no problems with static PDF files.
Of course, I doubt it's open source/free software, so it wouldn't be on this list anyway.
Parent
Re:Not Much Cross-Platform (Score:4, Informative)
Forms support is decent, but not perfect. I reported a couple of bugs I ran into filling out my tax forms this year. Specifically, I couldn't save a PDF in Adobe Reader that had form data already saved in it with Preview. And the digits didn't align correctly in the bank routing and account number fields.
I use it frequently. My only other gripe is that the search is brain-dead. (It "ors" all the search terms. which is never what I want. Putting an "AND" between them doesn't help :-/)
It might sound like I don't like it, but these are actually my only complaints. Very solid app.
It's also worth noting that PDF export is built right into the print subsystem. No goofy third party print drivers. No need for individual apps to understand PDF.
-Peter
Parent
Re:Not Much Cross-Platform (Score:5, Interesting)
Yes. There's also Skim [sourceforge.net] for OS X, which is far and away my favorite PDF reader for any platform. It's actually designed by and for people who really want to read, quickly search, and annotate PDFs.
Here are two of Skim's great features that I'd love to to see in other PDF readers:
I do believe that Skim relies heavily on various OS X frameworks (e.g. for PDF rendering, Spotlight support for search, etc.). That definitely goes to show the value of providing functionality via general, well-conceived and well-implemented frameworks instead of being wrapped up inside of monolithic applications.
Parent
Helpfully (Score:5, Funny)
F-Secure posted a PDF with exploits to uninstall Adobe Reader and install a new free reader.
Acrobat: The Worlds Worst Software (Score:5, Insightful)
Acrobat utterly takes the biscuit when it comes to being the most execrably awful, arrogant, bloated, buggy, piece of software ever made, ever. And that's in a world where Microsoft exists as well.
But as if that isn't bad enough, it ALSO ranks as the most tragic irony in *all* *computing* *history* that such a screamingly, revoltingly, tear-out-your-hair-and-become-a-monk awful software is essentially based on an open standard. I'll say that again: PDF is an *open* ISO standard. HOW did Adobe rape and strangle it to death like they did? If anyone wants an example of how unspeakably evil marketing and sharp practices can be, they need look no further than Adobe Acrobat.
If I never used Acrobat ever again it would be too soon.
Re:Acrobat: The Worlds Worst Software (Score:5, Funny)
the most execrably awful, arrogant, bloated, buggy, piece of software ever made, ever.
It's called Realplayer.
Parent
Re:Acrobat: The Worlds Worst Software (Score:4, Funny)
You really think so? Let me introduce you to my Buddy, Bonzi....
Parent
Re: (Score:3, Informative)
Adobe: The Worlds Worst Software Company (Score:5, Interesting)
That was my response to the dreamweaver CS3 install that dumped over 800 meg of bolt-on garbarge and two new services BEFORE starting the actual dreamweaver install.
And the new-and-improved dreamweaver was almost exactly the same as the macromedia version. They added a new CSS selector and a new tab for their adobe ajax framework. And they broke the best interakt extension. So the product went backwards, despite trending towards epic MS levels of application footprint.
They acquired the interackt folks and I think CS4 suckers are still waiting for the supported port.
Everything adobe touches turns to shit if you ask me.
Parent
Re:Acrobat: The Worlds Worst Software (Score:5, Funny)
Acrobat utterly takes the biscuit when it comes to being the most execrably awful, arrogant, bloated, buggy, piece of software ever made, ever.
Clearly you have not used anything Lotus has shipped in the past decade.
Parent
Re:Acrobat: The Worlds Worst Software (Score:4, Insightful)
Acrobat utterly takes the biscuit when it comes to being the most execrably awful, arrogant, bloated, buggy, piece of software ever made, ever. And that's in a world where Microsoft exists as well.
I see you never used Visual SourceSafe.
But yes, Acrobat sucks.
Parent
For those on the go (Score:5, Informative)
Sumatra PDF is also available in a portable format [portableapps.com].
Re: (Score:3, Informative)
How about a security review? (Score:3, Insightful)
Being the most targeted is not a good reason to switch (being the most exploited may be). However, rather than say "acroread sucks, try something else", shouldn't a security company actually check the security of the alternatives? Alternative does not automatically imply better; how do I know that the alternatives are not worse?
How many of the alternatives implement all the features require (and implement them securely)? Viewing an owner's guide PDF or some such isn't a big deal (I'd hope they can all do that); I need to know if all the form handling works correctly (because I need to use that).
Re:How about a security review? (Score:5, Informative)
we're not recommending Foxit. We're not recommending Sumatra. Or PDF-Xchange, CoolPDF or eXPert PDF. Instead, we recommend users to find their own Adobe Reader replacement. This way we get more heterogeneous userbase, which is a good idea security-wise.
Parent
I dropped Adobe PDF reader for a different reason (Score:4, Informative)
"Yesterday at RSA security conference, F-Secure's chief research officer recommended dropping Adobe Reader for viewing PDF files because of the huge amount of targeted attacks against it.
I used to use Adobe's PDF reader but while running Windows XP, I got a message prompting me to upgrade my Adobe reader to the latest.
I attempted to and the downloaded file was quite small. On completing the installation, I found out that I was stuck with a directory heavy at 200MB! Uninstalling the extras did not help matters.
Later on, I discovered Foxit Reader [foxitsoftware.com]. I haven't looked back and I am not worried about Adobe misbehaving for I know the would not like Microsoft to gain any traction with their XPS [microsoft.com] format.
What about DRM PDFs? (Score:5, Interesting)
I have a ton of DRM protected eBooks from my college. They only work in Adobe Acrobat Reader. How do I remove the DRM, or would removing the DRM so that I can use them in a third party PDF viewer be a violation of my license with the college and publishers?
I really don't want to lose my eBook library, but I don't want to get infected either.
Re:What about DRM PDFs? (Score:4, Insightful)
Open the file as a text file and look for the comment that says something like it is a violation of the DMCA to remove the following lines. Remove the following lines. Repeat. This is of course assuming that you don't think it's a violation of the DMCA to remove the lines in question.
Parent
This is slashdot! (Score:4, Insightful)
Step 1: Don't buy anything with DRM protection.
Step 2: Repeat.
Parent
Re:What about DRM PDFs? (Score:4, Informative)
Kpdf (part of KDE 3.5) had a checkbox to ignore DRM. I don't know of Okular (KDE 4) does.
Parent
better -- use pdfs appropriately! (Score:5, Insightful)
I realize there's pretty much no point in saying this, as it seems that many designers -- especially in large organizations -- seem to give little thought to the end user, and the usability of their site. (inappropriate or unnecessary use of pdf, flash, javascript, popups (still!) etc )
I'm tired of going to a site to find that in order to find out -- for example, where an event is going to take place -- that I have to download a 3 page pdf document, one that would have been so much easier and quicker and accessible as html on a webpage.
I'm willing to bet that, at the very least, half of all pdfs created do not need to be pdfs in the first place.
Okular has no chance there ... (Score:5, Insightful)
Okular has no chance there. Not amongst regular Windows users at least.
Step 1 - Go to PDFreaders.org [pdfreaders.org] - no issue
Step 2 - Click on "Download" on the intersection between Okular and Windows - no issue
Step 3 - Click "Download latest installer for immediate installation. - no issue
Step 4 - Run the KDE installer - not so much an issue, as what it does is
Step 5 - Click Next - "install from Internet" is the default setting, sounds reasonable
Step 6 - Select a download server - "What the hell did I just download then?"
Step 7 - Select an available release - Ehh? Whut?
Step 8 - Select the package you want to install - Well, that's just fucked up. 140+ packages to choose from. They're sorted by package name ONLY, cannot sort by package notes.
Step 9 - Look for something called Okular as package name. None found
Step 10 - "Oh, well, maybe these are packages I want in addition to Okular. I mean, I downloaded the Okular installer, right?"
Step 11 - Click Next
Step 12 - Installation/Update finished
Step 13 - Realise that NOTHING has been installed.
Step 14 - Get annoyed
Step 15 - Call tech support (realise this is a free program and there's noone to yell at)
Step 16 - Download and run the installer again (because they forgot where they downloaded it to)
Step 17 - Get to the package list and start reading very carefully
Step 18 - Wonder why the hell the package list goes Czech, Kashubian, Welsh, Danish, German, Greek, English, Esperanto, Spanish, Estonian [spelling package]
Step 19 - Realise there's still no Okular package anywhere
Step 20 - Read the list for the 3rd time and note that "Graphics applications" has a note "(including Okular)"
Step 21 - Wonder why the hell the download Okular link from before doesn't give you the fucking package to begin with
Step 22 - Notice that you're now downloading 40 (forty!) packages from the servers
Step 23 - Notice that one of these files are 60+ MB
Step 24 - Wonder why they call Acrobat Reader bloated and slow when that installer is less than 25 MB and takes about 30 seconds to install, just by clicking Next until you're done.
Step 25 - Notice that you now have a folder called "Programs" in your Start menu's program folder, which is aparently a sym-link to the program folder (doesn't point to itself though)
Step 26 - Find the "KDE 4.22 Release" folder in Programs and notice these programs:
Step 27 - Wonder once more why the hell people call Acrobat Reader bloated when this program installs with 5 extra programs.
Step 28 - Start the bloody program!
Step 29 - KConf_update.exe would like to run. So, Acrobat Reader running its updater - Bad! This - GOOD!
Step 30 - TRY to put frustrations aside and use the program
That installer REALLY needs some work.
And if you are going to have a Windows program, be as kind as to have an actual uninstaller. NONE of the KDE programs installed are listed in (Add/Remove)Programs(and Features). No uninstallers in the start menu either. I realise a lot of vocal FOSS supporters don't like Windows, but please - if you're going to advocate FOSS, at least make it live up to the LOW standards of Windows software (the non-malicious part of that group).
Re:Okular has no chance there ... (Score:4, Informative)
Well, to be fair, the KDE on Windows [kde.org] page does say, in bold,
KDE on Windows is not in the final state, so applications can be unsuitable for day to day use yet.
The installer is far from suitable for end-users as well. I'm not sure why the website would link to the KDE installer without any instructions (there is no installer specific to Okular, or any specific KDE program, yet).
Parent
Foxit is unsuitable (Score:5, Informative)
This isn't FUD, this is based on my own experiences:
I've found that the latest Foxit Reader is unable to show certain PDFs, in particular those created using the latest version of Adobe Acrobat. I created some PDFs in Acrobat 9 and when loaded into Foxit Reader 3.0, showed up entirely blank. The only way to view them was to put Adobe Reader on instead. So I did.
I'm not sure why Foxit showed these PDFs entirely blank. Maybe Acrobat 9 has a new version of the PDF standard that's incompatable, I don't know. What I do know is it means that if I want to gurantee the viewing of PDF files, I pretty much require Adobe products, which isn't that bad if you're using Reader 9 (much faster than version 8).
Possibly a vendor lock-in mechanism, but I'm tired of fighting. It's easier just to go with Adobe and get on with work.
Re:Foxit is unsuitable (Score:5, Informative)
One more thing I forgot to mention - I switched from Acrobat to PDFCreator a while back. It's very good, and anything I render using PDFCreator works just fine with Foxit Reader. Also has the side benefit of being open source and an example of an actually GOOD open source product. Unfortunately this doesn't discount the fact that other people might use Acrobat to render THEIR PDFs, and I don't want to cut myself off from being able to view them.
Parent
Tracker Software (Score:4, Informative)
The free PDF Viewer from Tracker Software [docu-track.com] is a wonderfully fast PDF reader, and comes with annotation capability right out of the box. They are very developer friendly, and their PDF XChange printer drivers produce PDF's that are tighter and better optimized than Adobe themselves. Great company to work with, and a great free PDF viewer.
Re:nice that there was an MS rep there to pay him (Score:4, Insightful)
using this guys logic, he should be saying to dump Microsoft and use another OS due to the large number of breakins on Windows boxes.
Unless he thought that the cost of switching OSes was significantly higher than the cost of switching to another free piece of software on top of that OS. With Windows, people need it to do things that no other operating system can do, namely, running Windows-only applications as well as they can be run. Switching to another OS requires either dealing with emulation, a VM, or not being able to run those programs at all. In addition, there are costs in either a steep learning curve going to linux or hardware to get a Mac. Cost to change: many, many hours of learning or a few thousand dollars.
On the other hand, as long as these PDF readers can read any pdf that adobe can, and as long as they're free like adobe is, there's no other cost. Hell, you can even have adobe installed just in case you'll need it, but make another reader the default for everything, thereby giving you the security of having another reader without any loss in functionality. Cost to change: maybe half an hour.
In other words, your bias is showing.
Parent