F-Secure Suggests Ditching Adobe Reader For Free PDF Viewers 249
hweimer writes "Yesterday at RSA security conference, F-Secure's chief research officer recommended dropping Adobe Reader for viewing PDF files because of the huge amount of targeted attacks against it. Instead, he pointed to PDFreaders.org, a website maintaining a list of free and open source PDF viewers."
Already there (Score:5, Informative)
Not Much Cross-Platform (Score:5, Informative)
It's interesting that of the 8 alternatives mentioned, only Okular is listed as being available across the board on Windows, Mac OS X, and (as they put it), "Free Operating Systems." (Linux, BSD, etc.) Even so, it involves installing KDE on top of Windows or Mac OS X, but at least it can be done.
The only two-platform reader, Yap, appears to be based on GNUStep, and I don't actually see a Windows download on the web page.
Re:Already there (Score:3, Informative)
Re:Not Much Cross-Platform (Score:5, Informative)
Doesn't Apple have their own non-adobe pdf reader built into OS X?
Yes, Preview can read PDFs (among many other formats) well enough that I didn't even install Adobe Reader when I bought a new MacBook a few months ago. Admittedly I'm not sure how well it handles forms, but it has no problems with static PDF files.
Of course, I doubt it's open source/free software, so it wouldn't be on this list anyway.
For those on the go (Score:5, Informative)
Sumatra PDF is also available in a portable format [portableapps.com].
Re:Already there (Score:5, Informative)
Re:Already there (Score:4, Informative)
Free as in beer, not as in speech. The article lists a number of alternatives with varying degrees of maturity and practical utility...
For example, I'm not going to install KDE on Windows just to read PDFs, and if I'm going to recommend an alternative PDF reader to one of my Average Joe friends, customers or relatives I'm not going to have them download one without an installer [gnustep.it] or from a website whose name has nothing to do with the product [ccxvii.net] (MuPDF) that looks like it was designed circa 1997. Appearance is everything, you know, which is something that I think has greatly contributed to Firefox's success: both the product and the website look smooth, classy and refined.
I dropped Adobe PDF reader for a different reason (Score:4, Informative)
"Yesterday at RSA security conference, F-Secure's chief research officer recommended dropping Adobe Reader for viewing PDF files because of the huge amount of targeted attacks against it.
I used to use Adobe's PDF reader but while running Windows XP, I got a message prompting me to upgrade my Adobe reader to the latest.
I attempted to and the downloaded file was quite small. On completing the installation, I found out that I was stuck with a directory heavy at 200MB! Uninstalling the extras did not help matters.
Later on, I discovered Foxit Reader [foxitsoftware.com]. I haven't looked back and I am not worried about Adobe misbehaving for I know the would not like Microsoft to gain any traction with their XPS [microsoft.com] format.
Re:Already there (Score:5, Informative)
Re:Acrobat: The Worlds Worst Software (Score:3, Informative)
Re:For those on the go (Score:3, Informative)
Re:What about DRM PDFs? (Score:2, Informative)
Search for ineptpdf.pyw.
Re:Already there (Score:2, Informative)
Foxit is unsuitable (Score:5, Informative)
This isn't FUD, this is based on my own experiences:
I've found that the latest Foxit Reader is unable to show certain PDFs, in particular those created using the latest version of Adobe Acrobat. I created some PDFs in Acrobat 9 and when loaded into Foxit Reader 3.0, showed up entirely blank. The only way to view them was to put Adobe Reader on instead. So I did.
I'm not sure why Foxit showed these PDFs entirely blank. Maybe Acrobat 9 has a new version of the PDF standard that's incompatable, I don't know. What I do know is it means that if I want to gurantee the viewing of PDF files, I pretty much require Adobe products, which isn't that bad if you're using Reader 9 (much faster than version 8).
Possibly a vendor lock-in mechanism, but I'm tired of fighting. It's easier just to go with Adobe and get on with work.
Re:Not Much Cross-Platform (Score:4, Informative)
Forms support is decent, but not perfect. I reported a couple of bugs I ran into filling out my tax forms this year. Specifically, I couldn't save a PDF in Adobe Reader that had form data already saved in it with Preview. And the digits didn't align correctly in the bank routing and account number fields.
I use it frequently. My only other gripe is that the search is brain-dead. (It "ors" all the search terms. which is never what I want. Putting an "AND" between them doesn't help :-/)
It might sound like I don't like it, but these are actually my only complaints. Very solid app.
It's also worth noting that PDF export is built right into the print subsystem. No goofy third party print drivers. No need for individual apps to understand PDF.
-Peter
Re:Foxit is unsuitable (Score:5, Informative)
One more thing I forgot to mention - I switched from Acrobat to PDFCreator a while back. It's very good, and anything I render using PDFCreator works just fine with Foxit Reader. Also has the side benefit of being open source and an example of an actually GOOD open source product. Unfortunately this doesn't discount the fact that other people might use Acrobat to render THEIR PDFs, and I don't want to cut myself off from being able to view them.
Re:Already there (Score:4, Informative)
Until Foxit Reader (at least the Windows version, no experience with other versions) can support Unicode, it will never replace Adobe Reader.
Re:Not Much Cross-Platform (Score:3, Informative)
I tried Sumatra (newest version) and while it's installed size is small, compared to the features it offers, it's bloated (ok, it's not bloated if you compare to Adobe, but it is compared to Foxit). But that's not the real problem with Sumatra: the gravest issue is the rendering: I thought I'll get a headache reading text rendered by Sumatra. It was very unpleasant at any zoom level.
Broken ones are JetForm/LiveCycle based (Score:4, Informative)
Foxit does not yet support JetForm/LiveCycle based PDFs. Neither does OSX's Preview.
I wish people would stop using LiveCycle to produce PDFs, from what I can tell the format is not documented in the PDF ISO specification. Additionally, the newer format does not seem to provide any features that were not previously available in PDF. One can only speculate that it was done out of laziness or to thwart competition after they opened the format.
Re:Already there (Score:4, Informative)
And what I find quite important: it renders text quite well. At least I don't see a big difference between how Foxit renders text vs. Acrobat. But, as I was saying in another post, Sumatra does a very bad job - so much so, that I feel slightly nauseated when reading documents with Sumatra.
Re:Okular has no chance there ... (Score:4, Informative)
Well, to be fair, the KDE on Windows [kde.org] page does say, in bold,
KDE on Windows is not in the final state, so applications can be unsuitable for day to day use yet.
The installer is far from suitable for end-users as well. I'm not sure why the website would link to the KDE installer without any instructions (there is no installer specific to Okular, or any specific KDE program, yet).
here's a more comprehensive list (Score:3, Informative)
This list [billposer.org] is more comprehensive.
I've gone to Kpdf and I won't go back (Score:2, Informative)
I used to use Adobe's Linux Acrobat Reader; 4 was the first version I recall using. I loved that Adobe provided a Linux release, even if it wasn't open (I prefer open programs, but I won't cry if I don't get them). I kept upgrading as new versions were released, until, I think, 8 (maybe?) This version decided that it would install a bunch of shit into ~/.local, overriding KDE's PDF icons with its own that were out of place, and generally making a mess of itself. Cleaning up ~/.local didn't help, because acroread would create that horrible, horrible mess each time I started it. If I wanted to change file associations, etc, I would do it! I don't need a program doing it behind my back. Ask me, that's fine; don't just do it, though.
So I ditched acroread. I realized that kpdf does everything I need it to, it integrates with my desktop, and it doesn't try to force changes on me. I'd probably still be a happy acroread user if they didn't decide that they should take over my desktop. That works on windows, where people have become resigned to programs fucking them over. But it doesn't work for me.
Comment removed (Score:3, Informative)
Re:What about DRM PDFs? (Score:3, Informative)
On linux: gs -q -dCompatibilityLevel=1.4 -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=b.pdf a.pdf -c '.setpdfwrite'
Who cares? You're in a situation where you're being horribly abused. The professor chose the book, the publisher chose to put DRM on it, and the publishing industry's lobbyists got Congress to pass the DMCA...just do whatever works for you. You paid for the book, after all.
Turn off javascript in AR: Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".
#6 there is the dealbreaker. (Score:3, Informative)
Apple's "Preview" (included with OS X, and did anyone mention that OS X's display model is visual PDF or something like that?) does pretty much everything you need there, better than Acrobat, and with less bloat. (And to the other poster who was wondering, yes, you can fill in forms. Can't create/edit them, though.) But although it runs on Intel, it doesn't run on Windows. Sorry. :(
Tracker Software (Score:4, Informative)
The free PDF Viewer from Tracker Software [docu-track.com] is a wonderfully fast PDF reader, and comes with annotation capability right out of the box. They are very developer friendly, and their PDF XChange printer drivers produce PDF's that are tighter and better optimized than Adobe themselves. Great company to work with, and a great free PDF viewer.
Re:How about a security review? (Score:5, Informative)
we're not recommending Foxit. We're not recommending Sumatra. Or PDF-Xchange, CoolPDF or eXPert PDF. Instead, we recommend users to find their own Adobe Reader replacement. This way we get more heterogeneous userbase, which is a good idea security-wise.
PDF Studio from Qoppa (Score:2, Informative)
One more to consider. I haven't tried this product yet but will soon. NOTE: It ain't free. It's based on Java. But it's less expensive and if they keep the package trim and secure, that's fine by me. I just don't want to deal w/A-D'oh-be anymore.
PDF Studio(tm) for Linux, Mac & Windows
http://www.qoppa.com/index.html [qoppa.com]
Disclaimer: If this product sucks, my apologies in advance for suggesting it.
Re:What about DRM PDFs? (Score:4, Informative)
Kpdf (part of KDE 3.5) had a checkbox to ignore DRM. I don't know of Okular (KDE 4) does.
The Gimp is Cross-Platform (Score:4, Informative)
Re:Acrobat: The Worlds Worst Software (Score:1, Informative)
I haven't used KPDF since I was messing around with KDE4.0, when it seemed to cause major wedging, but KPDF/KDE3 was acceptable. GhostView is better than evince for clever PS files, although I much prefer Evince's user interface, and it works fine for ordinary PS documents (without animation etc.) and DJVU (used for ebooks). I haven't really used Orakular, since I am not a KDE user.
F-Secure Blog (Score:2, Informative)
Acrobat is nuisanceware (Score:1, Informative)
Unfortunately it is true that some PDFs only work with Acrobat (although I admit that I have never met a "protected" PDF that was worth the protection). So in some cases, installing Acrobat seems to be necessary, even on MacOS X, where the OS provides a pretty good PDF Viewer. However, when you do that, Adobe installs plugins in your browser and changes browser settings without even asking, just like any other malware. And after every upgrade you have again to go through the settings and repair the damage Adobe has done. I wouldn't complain if Acrobat was an improvement over the built in PDF Viewer, but it is slower, bloated, has an inconsistent user interface (being inconsistent in itself it cannot be consistent with the other applications of the plattform). And in the single area where you would wish some improvement over Mac OS X Preview, namly in printing (ever tried to print a document as a booklet?), it delivers no improvement. So it is probably fair to classify Acrobat as malware: a nuisance to the user with hardly any benefit.
Re:Already there (Score:3, Informative)
I learned of Skim a few months ago, and it looks like a great tool. Extensive navigation and annotation abilities, with the annotations saved separately (merging them into the PDF file is also supported). Exactly what I want for migrating to more on-screen research and study.
Unfortunately, it is dependent upon Mac OS PDF handling libraries. I've been wishing/hoping something similar will appear that is cross platform. Some recent news about Python-based PDF libraries (I forget the specific names, at the moment) has perked my interest/hope a bit.
I hope something does develop. Or that I generate enough spare cash to finally put down for a Mac. (Suboptimal: I don't want to be tied to Apple's libraries.)
Re:Broken ones are JetForm/LiveCycle based (Score:3, Informative)
It is an open specification:
http://partners.adobe.com/public/developer/xml/index_arch.html [adobe.com]
And yes it does provide a lot of things not available in the pdf spec - for example directly rendered forms (which require significantly less bandwidth).
I wish people would stop spreading fud about Acrobat/Reader. Having worked for Adobe (I no longer do sadly) on Acrobat specifically a few facts:
A) update manager only starts with the app - it doesn't run constantly and you can disable it and use the help > check for updates feature - you can even deploy it to a million machines with this setting (thanks to its msi installer and customization wizard).
B) patches are released only once per quarter - I don't recall anytime (unless it was a security hotfix) that we released more than one patch per quarter.
C) Foxit is great - its the reason why Adobe made the PDF spec and ISO standard.
That said - it only impliments maybe a tenth (and I'm being really generous here) of what Reader/Acrobat can do. If you take reader and remove all the plugins from it its as small as foxit and starts just as fast and has as much functionality. There really are people in banking, finance, manufacturing, education, printing etc that rely on these features.
As some people have mentioned - it lacks a lot of features required in form support. I'd also add that it doesn't support postscript passthrough, or any number of a hundred different features required for pre-press work (color separation, color management, analysis or reporting).
I'd also add that foxit supports javascipt as well - which means eventually once it reaches Slashdot market dominance it will become a ripe target for hackers as well.
On security - as far back as Acrobat 4 it had security issues - no-one messed around with it because frankly it wasn't a big enough target. It wasn't until someone a while back (I think while Acrobat 7 was shipping) that someone exploited it and the blood was in the water. Once that happened every security researcher/hacker under the sun was working on it. Until it happens to your product you can sit there and say whatever you are doing is secure, but trust me its not. Once in the hands of people who really want to exploit it for real money want to - you essentially will play a cat and mouse game for the rest of the products lifecycle where sometimes you win and sometimes they win.
On launch performance - I'd actually bet money that Acrobat 9 Pro would launch faster than Foxit - yes seriously. It launches 10x faster than 8 did because it only loads libraries as it needs them (instead of doing like a 120+ loadlib calls on start). Essentially if you're just loading a pdf and looking at it - it doesn't need to load all the plugins for forms, annotations and 3d annotations etc.
Also for visual performance (and foxit definately doesn't have this) 8 and later can use a video card with pixel shader 3 hardware to accelerate the filling in and drawing of vectors to the point where you can do things like realtime zoom, rotations and scrolling on a pdf file - even complex ones.