Slashdot Mirror

← Back to Stories (view on slashdot.org)

F-Secure Suggests Ditching Adobe Reader For Free PDF Viewers

Posted by timothy on from the jane-the-sex-was-good-but-I've-had-enough-circus dept.

hweimer writes "Yesterday at RSA security conference, F-Secure's chief research officer recommended dropping Adobe Reader for viewing PDF files because of the huge amount of targeted attacks against it. Instead, he pointed to PDFreaders.org, a website maintaining a list of free and open source PDF viewers."

36 of 249 comments (clear)

  1. Already there by andytrevino · · Score: 5, Informative

    I've been using Foxit Reader for some time on my aging laptop because of performance issues with Adobe Reader 9, and it works great. http://www.foxitsoftware.com/pdf/reader/

    1. Re:Already there by omeomi · · Score: 2, Informative

      Agreed. Small download. Quick start-up. Never had a problem. Foxit rocks.

      --
      ZuluPad, the wiki notepad on crack
    2. Re:Already there by zonky · · Score: 4, Informative

      Yes, it's so feature compatible with adobe, they've added similar exploits! http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1104

    3. Re:Already there by andytrevino · · Score: 3, Informative

      Free as in beer, not as in speech. The article lists a number of alternatives with varying degrees of maturity and practical utility...

      For example, I'm not going to install KDE on Windows just to read PDFs, and if I'm going to recommend an alternative PDF reader to one of my Average Joe friends, customers or relatives I'm not going to have them download one without an installer or from a website whose name has nothing to do with the product (MuPDF) that looks like it was designed circa 1997. Appearance is everything, you know, which is something that I think has greatly contributed to Firefox's success: both the product and the website look smooth, classy and refined.

    4. Re:Already there by DanWS6 · · Score: 5, Informative

      I was a firm believer in foxit, until I had to fill out my 1040 and related forms. Some of the fields were just screwed up. I had to cave and install acrobat. I died a little inside that day.

    5. Re:Already there by izomiac · · Score: 2, Informative

      I used to use Foxit, but got a little tired of its adware nature (banner ad, browser toolbar, tons of buttons that only exist to remind you what the free version doesn't have, etc.). So I switched to Sumatra (GPL and much more minimalistic than Foxit). Later, I started taking notes in class using PDF comments. I tried using Foxit again, but commenting is restricted to the Pro version. Plus it crashed every second time I tried to comment the DRM'd lecture notes (that was difficult to figure out since Foxit doesn't indicate if DRM is present). So I switched to PDF-XChange Viewer since it can handle DRM and allows comments. It's similar to Foxit in that it's adware and feature-rich, but it does it with a bit more class IMHO. E.g. there's an option to hide the "Professional" features. Plus, there's a portable version.

    6. Re:Already there by FRiC · · Score: 3, Informative

      Until Foxit Reader (at least the Windows version, no experience with other versions) can support Unicode, it will never replace Adobe Reader.

    7. Re:Already there by blind+biker · · Score: 3, Informative

      And what I find quite important: it renders text quite well. At least I don't see a big difference between how Foxit renders text vs. Acrobat. But, as I was saying in another post, Sumatra does a very bad job - so much so, that I feel slightly nauseated when reading documents with Sumatra.

      --
      "The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
    8. Re:Already there by hairyfeet · · Score: 2, Informative

      Uuuhhhhh....I don't know where you get your info from, but Foxit updates itself just fine, has been for awhile. As you can see here it updates itself. Allow me to quote: "To select "Check for Updates", please go to Help > Check for Updates Now > click "Preferences" in the Foxit Reader Updates dialog box > select "Automatically check for Foxit updates". Please note that this option is selected by default."

      I can say that I have been using the free version for years and for at least the past two versions it has been advising me of updates to the software. of course like most here I picked Foxit for the lack of bloat and quick startup, but having it update itself is just a nice bonus.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    9. Re:Already there by behindthewall · · Score: 2, Informative

      I learned of Skim a few months ago, and it looks like a great tool. Extensive navigation and annotation abilities, with the annotations saved separately (merging them into the PDF file is also supported). Exactly what I want for migrating to more on-screen research and study.

      Unfortunately, it is dependent upon Mac OS PDF handling libraries. I've been wishing/hoping something similar will appear that is cross platform. Some recent news about Python-based PDF libraries (I forget the specific names, at the moment) has perked my interest/hope a bit.

      I hope something does develop. Or that I generate enough spare cash to finally put down for a Mac. (Suboptimal: I don't want to be tied to Apple's libraries.)

  2. Not Much Cross-Platform by Kelson · · Score: 4, Informative

    It's interesting that of the 8 alternatives mentioned, only Okular is listed as being available across the board on Windows, Mac OS X, and (as they put it), "Free Operating Systems." (Linux, BSD, etc.) Even so, it involves installing KDE on top of Windows or Mac OS X, but at least it can be done.

    The only two-platform reader, Yap, appears to be based on GNUStep, and I don't actually see a Windows download on the web page.

    1. Re:Not Much Cross-Platform by Kelson · · Score: 4, Informative

      Doesn't Apple have their own non-adobe pdf reader built into OS X?

      Yes, Preview can read PDFs (among many other formats) well enough that I didn't even install Adobe Reader when I bought a new MacBook a few months ago. Admittedly I'm not sure how well it handles forms, but it has no problems with static PDF files.

      Of course, I doubt it's open source/free software, so it wouldn't be on this list anyway.

    2. Re:Not Much Cross-Platform by pete-classic · · Score: 4, Informative

      Forms support is decent, but not perfect. I reported a couple of bugs I ran into filling out my tax forms this year. Specifically, I couldn't save a PDF in Adobe Reader that had form data already saved in it with Preview. And the digits didn't align correctly in the bank routing and account number fields.

      I use it frequently. My only other gripe is that the search is brain-dead. (It "ors" all the search terms. which is never what I want. Putting an "AND" between them doesn't help :-/)

      It might sound like I don't like it, but these are actually my only complaints. Very solid app.

      It's also worth noting that PDF export is built right into the print subsystem. No goofy third party print drivers. No need for individual apps to understand PDF.

      -Peter

    3. Re:Not Much Cross-Platform by blind+biker · · Score: 2, Informative

      I tried Sumatra (newest version) and while it's installed size is small, compared to the features it offers, it's bloated (ok, it's not bloated if you compare to Adobe, but it is compared to Foxit). But that's not the real problem with Sumatra: the gravest issue is the rendering: I thought I'll get a headache reading text rendered by Sumatra. It was very unpleasant at any zoom level.

      --
      "The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
  3. For those on the go by compro01 · · Score: 5, Informative

    Sumatra PDF is also available in a portable format.

    --
    upon the advice of my lawyer, i have no sig at this time
    1. Re:For those on the go by drizek · · Score: 3, Informative

      I was introduced to Sumatra from portable apps and now use it instead of FoxIt. It does have a few issues here and there, but it seems to work better.

  4. I dropped Adobe PDF reader for a different reason by bogaboga · · Score: 3, Informative

    "Yesterday at RSA security conference, F-Secure's chief research officer recommended dropping Adobe Reader for viewing PDF files because of the huge amount of targeted attacks against it.

    I used to use Adobe's PDF reader but while running Windows XP, I got a message prompting me to upgrade my Adobe reader to the latest.

    I attempted to and the downloaded file was quite small. On completing the installation, I found out that I was stuck with a directory heavy at 200MB! Uninstalling the extras did not help matters.

    Later on, I discovered Foxit Reader. I haven't looked back and I am not worried about Adobe misbehaving for I know the would not like Microsoft to gain any traction with their XPS format.

  5. Re:Acrobat: The Worlds Worst Software by 5of0 · · Score: 3, Informative

    But it's malware that sings! That right there makes the difference.

    --
    You all have Oo.o and Firefox, so get World Wind.
  6. Re:What about DRM PDFs? by Anonymous Coward · · Score: 2, Informative

    Search for ineptpdf.pyw.

  7. Foxit is unsuitable by GF678 · · Score: 4, Informative

    This isn't FUD, this is based on my own experiences:

    I've found that the latest Foxit Reader is unable to show certain PDFs, in particular those created using the latest version of Adobe Acrobat. I created some PDFs in Acrobat 9 and when loaded into Foxit Reader 3.0, showed up entirely blank. The only way to view them was to put Adobe Reader on instead. So I did.

    I'm not sure why Foxit showed these PDFs entirely blank. Maybe Acrobat 9 has a new version of the PDF standard that's incompatable, I don't know. What I do know is it means that if I want to gurantee the viewing of PDF files, I pretty much require Adobe products, which isn't that bad if you're using Reader 9 (much faster than version 8).

    Possibly a vendor lock-in mechanism, but I'm tired of fighting. It's easier just to go with Adobe and get on with work.

    1. Re:Foxit is unsuitable by GF678 · · Score: 4, Informative

      One more thing I forgot to mention - I switched from Acrobat to PDFCreator a while back. It's very good, and anything I render using PDFCreator works just fine with Foxit Reader. Also has the side benefit of being open source and an example of an actually GOOD open source product. Unfortunately this doesn't discount the fact that other people might use Acrobat to render THEIR PDFs, and I don't want to cut myself off from being able to view them.

  8. Broken ones are JetForm/LiveCycle based by bigtrike · · Score: 3, Informative

    Foxit does not yet support JetForm/LiveCycle based PDFs. Neither does OSX's Preview.

    I wish people would stop using LiveCycle to produce PDFs, from what I can tell the format is not documented in the PDF ISO specification. Additionally, the newer format does not seem to provide any features that were not previously available in PDF. One can only speculate that it was done out of laziness or to thwart competition after they opened the format.

    1. Re:Broken ones are JetForm/LiveCycle based by Skuld-Chan · · Score: 2, Informative

      It is an open specification:

      http://partners.adobe.com/public/developer/xml/index_arch.html

      And yes it does provide a lot of things not available in the pdf spec - for example directly rendered forms (which require significantly less bandwidth).

      I wish people would stop spreading fud about Acrobat/Reader. Having worked for Adobe (I no longer do sadly) on Acrobat specifically a few facts:

      A) update manager only starts with the app - it doesn't run constantly and you can disable it and use the help > check for updates feature - you can even deploy it to a million machines with this setting (thanks to its msi installer and customization wizard).

      B) patches are released only once per quarter - I don't recall anytime (unless it was a security hotfix) that we released more than one patch per quarter.

      C) Foxit is great - its the reason why Adobe made the PDF spec and ISO standard.

      That said - it only impliments maybe a tenth (and I'm being really generous here) of what Reader/Acrobat can do. If you take reader and remove all the plugins from it its as small as foxit and starts just as fast and has as much functionality. There really are people in banking, finance, manufacturing, education, printing etc that rely on these features.

      As some people have mentioned - it lacks a lot of features required in form support. I'd also add that it doesn't support postscript passthrough, or any number of a hundred different features required for pre-press work (color separation, color management, analysis or reporting).

      I'd also add that foxit supports javascipt as well - which means eventually once it reaches Slashdot market dominance it will become a ripe target for hackers as well.

      On security - as far back as Acrobat 4 it had security issues - no-one messed around with it because frankly it wasn't a big enough target. It wasn't until someone a while back (I think while Acrobat 7 was shipping) that someone exploited it and the blood was in the water. Once that happened every security researcher/hacker under the sun was working on it. Until it happens to your product you can sit there and say whatever you are doing is secure, but trust me its not. Once in the hands of people who really want to exploit it for real money want to - you essentially will play a cat and mouse game for the rest of the products lifecycle where sometimes you win and sometimes they win.

      On launch performance - I'd actually bet money that Acrobat 9 Pro would launch faster than Foxit - yes seriously. It launches 10x faster than 8 did because it only loads libraries as it needs them (instead of doing like a 120+ loadlib calls on start). Essentially if you're just loading a pdf and looking at it - it doesn't need to load all the plugins for forms, annotations and 3d annotations etc.

      Also for visual performance (and foxit definately doesn't have this) 8 and later can use a video card with pixel shader 3 hardware to accelerate the filling in and drawing of vectors to the point where you can do things like realtime zoom, rotations and scrolling on a pdf file - even complex ones.

  9. Re:Okular has no chance there ... by LiquidFire_HK · · Score: 3, Informative

    Well, to be fair, the KDE on Windows page does say, in bold,

    KDE on Windows is not in the final state, so applications can be unsuitable for day to day use yet.

    The installer is far from suitable for end-users as well. I'm not sure why the website would link to the KDE installer without any instructions (there is no installer specific to Okular, or any specific KDE program, yet).

  10. here's a more comprehensive list by belmolis · · Score: 2, Informative

    This list is more comprehensive.

  11. I've gone to Kpdf and I won't go back by Anonymous Coward · · Score: 2, Informative

    I used to use Adobe's Linux Acrobat Reader; 4 was the first version I recall using. I loved that Adobe provided a Linux release, even if it wasn't open (I prefer open programs, but I won't cry if I don't get them). I kept upgrading as new versions were released, until, I think, 8 (maybe?) This version decided that it would install a bunch of shit into ~/.local, overriding KDE's PDF icons with its own that were out of place, and generally making a mess of itself. Cleaning up ~/.local didn't help, because acroread would create that horrible, horrible mess each time I started it. If I wanted to change file associations, etc, I would do it! I don't need a program doing it behind my back. Ask me, that's fine; don't just do it, though.

    So I ditched acroread. I realized that kpdf does everything I need it to, it integrates with my desktop, and it doesn't try to force changes on me. I'd probably still be a happy acroread user if they didn't decide that they should take over my desktop. That works on windows, where people have become resigned to programs fucking them over. But it doesn't work for me.

  12. Re:What about DRM PDFs? by bcrowell · · Score: 2, Informative

    How do I remove the DRM

    On linux: gs -q -dCompatibilityLevel=1.4 -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=b.pdf a.pdf -c '.setpdfwrite'

    or would removing the DRM so that I can use them in a third party PDF viewer be a violation of my license with the college and publishers?

    Who cares? You're in a situation where you're being horribly abused. The professor chose the book, the publisher chose to put DRM on it, and the publishing industry's lobbyists got Congress to pass the DMCA...just do whatever works for you. You paid for the book, after all.

    I really don't want to lose my eBook library, but I don't want to get infected either.

    Turn off javascript in AR: Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".

    --
    Find free books.
  13. #6 there is the dealbreaker. by Shag · · Score: 2, Informative

    Apple's "Preview" (included with OS X, and did anyone mention that OS X's display model is visual PDF or something like that?) does pretty much everything you need there, better than Acrobat, and with less bloat. (And to the other poster who was wondering, yes, you can fill in forms. Can't create/edit them, though.) But although it runs on Intel, it doesn't run on Windows. Sorry. :(

    --
    Village idiot in some extremely smart villages.
  14. Tracker Software by eric2hill · · Score: 4, Informative

    The free PDF Viewer from Tracker Software is a wonderfully fast PDF reader, and comes with annotation capability right out of the box. They are very developer friendly, and their PDF XChange printer drivers produce PDF's that are tighter and better optimized than Adobe themselves. Great company to work with, and a great free PDF viewer.

    --
    LOAD "SIG",8,1
    LOADING...
    READY.
    RUN
  15. Re:How about a security review? by mrbene · · Score: 4, Informative
    I think F-Secure's unofficial stance is outlined best in their blog from a while back:

    we're not recommending Foxit. We're not recommending Sumatra. Or PDF-Xchange, CoolPDF or eXPert PDF. Instead, we recommend users to find their own Adobe Reader replacement. This way we get more heterogeneous userbase, which is a good idea security-wise.

  16. PDF Studio from Qoppa by emaname · · Score: 2, Informative

    One more to consider. I haven't tried this product yet but will soon. NOTE: It ain't free. It's based on Java. But it's less expensive and if they keep the package trim and secure, that's fine by me. I just don't want to deal w/A-D'oh-be anymore.

    PDF Studio(tm) for Linux, Mac & Windows

    http://www.qoppa.com/index.html

    Disclaimer: If this product sucks, my apologies in advance for suggesting it.

    --
    An effective "democracy" creates the illusion the people have a say in their government.
  17. Re:What about DRM PDFs? by bendodge · · Score: 3, Informative

    Kpdf (part of KDE 3.5) had a checkbox to ignore DRM. I don't know of Okular (KDE 4) does.

    --
    The government can't save you.
  18. The Gimp is Cross-Platform by flyingfsck · · Score: 3, Informative

    You can edit PDFs and paste text onto forms with the Gimp. Kinda painful, but it works and then you can save the file in any format you want.

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!
  19. Re:Acrobat: The Worlds Worst Software by Philip_the_physicist · · Score: 1, Informative
    Evince is certainly more responsive than A8 on the same system, and can search much more quickly. I tend to read in continuous mode, so the next page is already cached before I scroll to it in most readers, but I admit that when jumping to pages acroread 8 is faster to show the page. I would hazard a guess that acrobat pre-renders unseen pages, which would explain its much higher footprint.

    I haven't used KPDF since I was messing around with KDE4.0, when it seemed to cause major wedging, but KPDF/KDE3 was acceptable. GhostView is better than evince for clever PS files, although I much prefer Evince's user interface, and it works fine for ordinary PS documents (without animation etc.) and DJVU (used for ebooks). I haven't really used Orakular, since I am not a KDE user.

  20. F-Secure Blog by Leevi · · Score: 2, Informative

    They talked about this months ago in their blog http://www.f-secure.com/weblog/archives/00001623.html Out of context taken quote "we're not recommending Foxit."

  21. Acrobat is nuisanceware by Anonymous Coward · · Score: 1, Informative

    Unfortunately it is true that some PDFs only work with Acrobat (although I admit that I have never met a "protected" PDF that was worth the protection). So in some cases, installing Acrobat seems to be necessary, even on MacOS X, where the OS provides a pretty good PDF Viewer. However, when you do that, Adobe installs plugins in your browser and changes browser settings without even asking, just like any other malware. And after every upgrade you have again to go through the settings and repair the damage Adobe has done. I wouldn't complain if Acrobat was an improvement over the built in PDF Viewer, but it is slower, bloated, has an inconsistent user interface (being inconsistent in itself it cannot be consistent with the other applications of the plattform). And in the single area where you would wish some improvement over Mac OS X Preview, namly in printing (ever tried to print a document as a booklet?), it delivers no improvement. So it is probably fair to classify Acrobat as malware: a nuisance to the user with hardly any benefit.