Thursday, August 6, 2009

Repeat Offender: Time to Boot Adobe?

It's no doubt that over the last year or so everyone has been ripping up the Adobe folks for releasing version after version of the bloated PDF reader with more and more seemingly stupid security bugs. Now we've got yet another ridiculous vulnerability in the PDF family of products - this time dealing with Flash.

From the Sans Newswire...
Adobe Issues Critical Updates for Reader and Acrobat (August 3, 2009) Adobe has released updates for Reader and Acrobat on Windows, Mac, and Unix to address critical flaws related to Flash content. The vulnerabilities are being actively exploited. Users are encouraged to update to Adobe Reader 9.1.3 as soon as possible. Those already running Reader version 9.x can update to 9.1.3 with the automatic update function. Users who download Reader for Windows from the Adobe site should be aware that the version they receive is 9.1. If they download that version, they will still need to update to version 9.1.3. Windows and Mac users will need to download completely new versions of Adobe Acrobat.
Wait, there's a PDF Reader/Acrobat vulnerability that deals with the Flash engine? I had a hard enough time trying to force myself to understand why the JavaScript engine is so integrated into the PDF Reader/Acrobat - there is absolutely no way in hell you're going to convince me that Flash content inside a PDF doc is necessary... period.

At some point - people are just going to stop using the PDF format... I know it's convenient, functional but at some point... everyone's just going to get sick of patching and re-patching for stupid functions that shouldn't be there in the first place... am I alone? I don't think so... One of the editors, Stephen Northcutt, had this to say:
"I think organizations should avoid Adobe if possible. Adobe security appears to be out of control, and using their products seems to put your organization at risk. Try to minimize your attack surface. Limit the use of Adobe products whenever you can." --Northcutt

Whoops. I don't know about you guys and girls out there... but I'm with him. In fact, a great alternative is Foxit PDF Reader, available here - that's what I use when I had to open PDFs.

As Stephan Chenette so astutely pointed out to me via email (thanks by the way)... Adobe isn't the only group that can be AWI (Architecting While Intoxicated)... apparently somehow it's also now a critical feature that Microsoft's Excel be able to embed Flash! content in it... and is thus vulnerable. Whiskey. Tango. Foxtrot. Seriously... See here: (head in hands)...


ekse said...

I was using Foxit before mainly because Adobe Reader is such a memory hog but the fonts weren't well anti-aliased. I switched recently to PDF-XChange Viewer, I really like it, it has tab supports and the text is crisp. You should give it a try.

Arshan Dabirsiaghi said...

I think you should try having 90%+ market share and not getting owned every day. Do you REALLY believe "FoxIt" code is more secure than Adobe's? You think their SDL is better? Testing strategy? Security budget?

Glancing at Foxit's advisory page shows 4 0days in 2009 with similar lag times to Adobe.

I'm not sure it's worth the all the world's admins' hassle to jump from small fish to small fish just to avoid untargeted malware.

When someone writes a good, portable PDF reader in managed code, I'll switch.

Rafal Los said...

@Arshan- I don't so much care for the frequency and volume of vulnerabilities, as clearly everyone has them, but for the direction in development. Even though FoxIt has a high number of defects/vulns they aren't (that I can spot) supporting what is clearly a run-away development process senselessly chasing "cool" without pause to understand consequences.

That's my $0.19999999999999

Arshan Dabirsiaghi said...

No offense but this:

>clearly a run-away development
>process senselessly chasing "cool"
>without pause to understand

... is just pure speculation - unless you have some data? They compile with /GS on Windows now. That's a step in the right direction. DEP would be nice too, but it isn't designed in such a way that you can just "switch it on", especially for a x-platform VM product.

Does it represent your biggest browser-based threat? Would anything else be better? For now, to avoid untargeted malware, possibly. In the long term, I don't think any of the small fish are going to do better.