F-Secure Suggests Ditching Adobe Reader For Free PDF Viewers 249
hweimer writes "Yesterday at RSA security conference, F-Secure's chief research officer recommended dropping Adobe Reader for viewing PDF files because of the huge amount of targeted attacks against it. Instead, he pointed to PDFreaders.org, a website maintaining a list of free and open source PDF viewers."
Re:Already there (Score:3, Insightful)
Re:Not Much Cross-Platform (Score:5, Insightful)
I've been using Evince on Linux for years now. No dramas. Runs about 10 times faster than the Adobe Reader as well.
Does whether a particular reader is cross-platform really matter? Most people only seem to use the zoom in/out, scroll up/down and preview pane functions anyway. Not a lot to figure out on a different system...
Acrobat: The Worlds Worst Software (Score:5, Insightful)
Acrobat utterly takes the biscuit when it comes to being the most execrably awful, arrogant, bloated, buggy, piece of software ever made, ever. And that's in a world where Microsoft exists as well.
But as if that isn't bad enough, it ALSO ranks as the most tragic irony in *all* *computing* *history* that such a screamingly, revoltingly, tear-out-your-hair-and-become-a-monk awful software is essentially based on an open standard. I'll say that again: PDF is an *open* ISO standard. HOW did Adobe rape and strangle it to death like they did? If anyone wants an example of how unspeakably evil marketing and sharp practices can be, they need look no further than Adobe Acrobat.
If I never used Acrobat ever again it would be too soon.
Re:Already there (Score:5, Insightful)
Foxit has a couple of problems with some forms-based PDFs my work gave me, but on the other hand, it lets me save form field values in pdfs where acrobat won't.
It's great; I got sick of the bloat ware and "run all the time! in the background! always show up with checks for prompts for updates every time I open my browser!" that adobe has turned into.
now if foxit only made a flash player
1 word (Score:1, Insightful)
Monoculture.
It's always bad & that's why standards are good.
Re:Already there (Score:5, Insightful)
Actually, the article specifically suggests that Adobe needs to improve its automatic update system, not remove it.
Foxit is getting pretty widely used, and it will be especially vulnerable if it lacks a mechanism to update itself automatically.
Convenience != good architecture.
I'm not sure who are more dangerous, those that don't update because they don't know what updates are, or those that don't update because they're too paranoid about corporations whose software they already use to allow that software to be patched against demonstrated security issues.
That said, Adobe is bloated. It just has nothing to do with running all the time in the background and prompting for updates, but just with generally shitty programming. Anything used for a significant portion of web traffic needs to have a mechanism to automatically retrieve updates, especially if the user is to lazy make sure that their system is up to date and secure.
How about a security review? (Score:3, Insightful)
Being the most targeted is not a good reason to switch (being the most exploited may be). However, rather than say "acroread sucks, try something else", shouldn't a security company actually check the security of the alternatives? Alternative does not automatically imply better; how do I know that the alternatives are not worse?
How many of the alternatives implement all the features require (and implement them securely)? Viewing an owner's guide PDF or some such isn't a big deal (I'd hope they can all do that); I need to know if all the form handling works correctly (because I need to use that).
Re:Not Much Cross-Platform (Score:5, Insightful)
The websites are the horror from a windows end-user point of view.
Okular: no download, build descriptions? ...
MuPDF: A parser description?
Yap: That screenshot
Sumatra PDF: Looks good.
Re:Already there (Score:5, Insightful)
What about those of us who don't update because we're too lazy?
Then there's those of us who don't update because we've been burnt by updates breaking things way too many times in the past.
Re:Not Much Cross-Platform (Score:2, Insightful)
> The websites are the horror from a windows end-user point of view.
Perhaps you should consider getting your operating system from an organization that does not require you to download such fundamental applications as a PDF viewer from a third party.
Re:What about DRM PDFs? (Score:4, Insightful)
Open the file as a text file and look for the comment that says something like it is a violation of the DMCA to remove the following lines. Remove the following lines. Repeat. This is of course assuming that you don't think it's a violation of the DMCA to remove the lines in question.
Re:nice that there was an MS rep there to pay him (Score:4, Insightful)
using this guys logic, he should be saying to dump Microsoft and use another OS due to the large number of breakins on Windows boxes.
Unless he thought that the cost of switching OSes was significantly higher than the cost of switching to another free piece of software on top of that OS. With Windows, people need it to do things that no other operating system can do, namely, running Windows-only applications as well as they can be run. Switching to another OS requires either dealing with emulation, a VM, or not being able to run those programs at all. In addition, there are costs in either a steep learning curve going to linux or hardware to get a Mac. Cost to change: many, many hours of learning or a few thousand dollars.
On the other hand, as long as these PDF readers can read any pdf that adobe can, and as long as they're free like adobe is, there's no other cost. Hell, you can even have adobe installed just in case you'll need it, but make another reader the default for everything, thereby giving you the security of having another reader without any loss in functionality. Cost to change: maybe half an hour.
In other words, your bias is showing.
better -- use pdfs appropriately! (Score:5, Insightful)
I realize there's pretty much no point in saying this, as it seems that many designers -- especially in large organizations -- seem to give little thought to the end user, and the usability of their site. (inappropriate or unnecessary use of pdf, flash, javascript, popups (still!) etc )
I'm tired of going to a site to find that in order to find out -- for example, where an event is going to take place -- that I have to download a 3 page pdf document, one that would have been so much easier and quicker and accessible as html on a webpage.
I'm willing to bet that, at the very least, half of all pdfs created do not need to be pdfs in the first place.
Okular has no chance there ... (Score:5, Insightful)
Okular has no chance there. Not amongst regular Windows users at least.
Step 1 - Go to PDFreaders.org [pdfreaders.org] - no issue
Step 2 - Click on "Download" on the intersection between Okular and Windows - no issue
Step 3 - Click "Download latest installer for immediate installation. - no issue
Step 4 - Run the KDE installer - not so much an issue, as what it does is
Step 5 - Click Next - "install from Internet" is the default setting, sounds reasonable
Step 6 - Select a download server - "What the hell did I just download then?"
Step 7 - Select an available release - Ehh? Whut?
Step 8 - Select the package you want to install - Well, that's just fucked up. 140+ packages to choose from. They're sorted by package name ONLY, cannot sort by package notes.
Step 9 - Look for something called Okular as package name. None found
Step 10 - "Oh, well, maybe these are packages I want in addition to Okular. I mean, I downloaded the Okular installer, right?"
Step 11 - Click Next
Step 12 - Installation/Update finished
Step 13 - Realise that NOTHING has been installed.
Step 14 - Get annoyed
Step 15 - Call tech support (realise this is a free program and there's noone to yell at)
Step 16 - Download and run the installer again (because they forgot where they downloaded it to)
Step 17 - Get to the package list and start reading very carefully
Step 18 - Wonder why the hell the package list goes Czech, Kashubian, Welsh, Danish, German, Greek, English, Esperanto, Spanish, Estonian [spelling package]
Step 19 - Realise there's still no Okular package anywhere
Step 20 - Read the list for the 3rd time and note that "Graphics applications" has a note "(including Okular)"
Step 21 - Wonder why the hell the download Okular link from before doesn't give you the fucking package to begin with
Step 22 - Notice that you're now downloading 40 (forty!) packages from the servers
Step 23 - Notice that one of these files are 60+ MB
Step 24 - Wonder why they call Acrobat Reader bloated and slow when that installer is less than 25 MB and takes about 30 seconds to install, just by clicking Next until you're done.
Step 25 - Notice that you now have a folder called "Programs" in your Start menu's program folder, which is aparently a sym-link to the program folder (doesn't point to itself though)
Step 26 - Find the "KDE 4.22 Release" folder in Programs and notice these programs:
Step 27 - Wonder once more why the hell people call Acrobat Reader bloated when this program installs with 5 extra programs.
Step 28 - Start the bloody program!
Step 29 - KConf_update.exe would like to run. So, Acrobat Reader running its updater - Bad! This - GOOD!
Step 30 - TRY to put frustrations aside and use the program
That installer REALLY needs some work.
And if you are going to have a Windows program, be as kind as to have an actual uninstaller. NONE of the KDE programs installed are listed in (Add/Remove)Programs(and Features). No uninstallers in the start menu either. I realise a lot of vocal FOSS supporters don't like Windows, but please - if you're going to advocate FOSS, at least make it live up to the LOW standards of Windows software (the non-malicious part of that group).
Re:Not Much Cross-Platform (Score:1, Insightful)
Re:Acrobat: The Worlds Worst Software (Score:4, Insightful)
Acrobat utterly takes the biscuit when it comes to being the most execrably awful, arrogant, bloated, buggy, piece of software ever made, ever. And that's in a world where Microsoft exists as well.
I see you never used Visual SourceSafe.
But yes, Acrobat sucks.
Re:Foxit Reader (Score:2, Insightful)
I'm actually starting to suspect that the same people who write the adobe reader/updater code, also work in the HP drivers division. Both use FEAD/Nosso compression, both have obnoxious updaters, both are massively bloated....
/tinfoil hat
Re:They are NOT free! (Score:3, Insightful)
it is an open standard, you are welcome to do so.
Re:Already there (Score:3, Insightful)
I'm not sure who are more dangerous, those that don't update because they don't know what updates are, or those that don't update because they're too paranoid about corporations whose software they already use to allow that software to be patched against demonstrated security issues.
What about:
Those who don't update because it would take unreasonable ammounts of time on thier slow connection
Those who don't upgrade because they are afraid vendor incompetance will cause something to break (or have upgraded and then had to downgrade because something broke and are now stuck with the version they downgraded too)
Those who don't update because they simply can't be bothered dealing with all the updators.
IMO all the major windows development houses (including MS themselves) need to get together and use a common automatic updates system with a common setting for deciding update policy (off/check and ask/download and ask/full auto) and maybe an advanced settings box to set different update policies for different products. I think the windows automatic updates system may already support this but if it does then i've never seen anyone other than MS use it.
This is slashdot! (Score:4, Insightful)
Step 1: Don't buy anything with DRM protection.
Step 2: Repeat.
Re:Already there (Score:5, Insightful)
Foxit Reader is proprietary, no more inspectable or modifiable than Adobe's PDF reader and therefore no more trustworthy than any other proprietary software. No proprietary software is not a good solution to the problems faced with Adobe's proprietary PDF Reader. You are merely jumping from one proprietor to another.
A reasonable recommendation is a FLOSS PDF reader such as Sumatra, Skim, or one of the other fine PDF readers recommended by PDFReaders.org [pdfreaders.org].
Re:Already there (Score:2, Insightful)
The guy is basically advising security through not encouraging a monoculture
.
Fixed that for you.
Re:Already there (Score:3, Insightful)
And not only does Adobe Reader use a lot of resources, but that automatic "updater" is annoying as hell.
Do you all agree that Foxit is the best of show for free PDF reader? I'd like to hear your opinions on some of the others.
Re:Not Much Cross-Platform (Score:3, Insightful)
Hey, I don't want my OS coming with ANY apps, how about that? Just run my programs and stay out of my way.
Re:Already there (Score:5, Insightful)
Re:Already there (Score:3, Insightful)
Re:Already there (Score:3, Insightful)
What's your bug report number?
Re:Already there (Score:1, Insightful)
Security through obscurity is no security, true, but using an alternative PDF reader you can at the moment considerably reduce the risks of being a target for such an attack.
This has nothing to do with actual security and everything to do with statistics. If your PDF reader is vulnerable to 5% of the attacks out there instead of 95%, there's a difference.
0% is, of course, the best alternative, but whenever a piece of software gains some kind of relevant market share, someone will start to exploit its' weaknesses.
Re:Already there (Score:2, Insightful)
Updates don't work for non-administrator accounts... The Firefox developers "fixed" this issue by not even notifying the user when updates are available.
As it should be. The system administrator should be responsible for updating software, especially if the user can't do it themselves.
Re:Not Much Cross-Platform (Score:2, Insightful)
That definitely goes to show the value of providing functionality via general, well-conceived and well-implemented frameworks instead of being wrapped up inside of monolithic applications.
As someone that doesn't want or have the macintosh os, that value is 0..