Slashdot Mirror

← Back to Stories (view on slashdot.org)

F-Secure Suggests Ditching Adobe Reader For Free PDF Viewers

Posted by timothy on from the jane-the-sex-was-good-but-I've-had-enough-circus dept.

hweimer writes "Yesterday at RSA security conference, F-Secure's chief research officer recommended dropping Adobe Reader for viewing PDF files because of the huge amount of targeted attacks against it. Instead, he pointed to PDFreaders.org, a website maintaining a list of free and open source PDF viewers."

46 of 249 comments (clear)

  1. Already there by andytrevino · · Score: 5, Informative

    I've been using Foxit Reader for some time on my aging laptop because of performance issues with Adobe Reader 9, and it works great. http://www.foxitsoftware.com/pdf/reader/

    1. Re:Already there by Saint+Stephen · · Score: 5, Insightful

      Foxit has a couple of problems with some forms-based PDFs my work gave me, but on the other hand, it lets me save form field values in pdfs where acrobat won't.

      It's great; I got sick of the bloat ware and "run all the time! in the background! always show up with checks for prompts for updates every time I open my browser!" that adobe has turned into.

      now if foxit only made a flash player

    2. Re:Already there by FlyingBishop · · Score: 5, Insightful

      Actually, the article specifically suggests that Adobe needs to improve its automatic update system, not remove it.

      Foxit is getting pretty widely used, and it will be especially vulnerable if it lacks a mechanism to update itself automatically.

      Convenience != good architecture.

      I'm not sure who are more dangerous, those that don't update because they don't know what updates are, or those that don't update because they're too paranoid about corporations whose software they already use to allow that software to be patched against demonstrated security issues.

      That said, Adobe is bloated. It just has nothing to do with running all the time in the background and prompting for updates, but just with generally shitty programming. Anything used for a significant portion of web traffic needs to have a mechanism to automatically retrieve updates, especially if the user is to lazy make sure that their system is up to date and secure.

    3. Re:Already there by omeomi · · Score: 4, Funny

      I'm not sure who are more dangerous, those that don't update because they don't know what updates are, or those that don't update because they're too paranoid about corporations whose software they already use to allow that software to be patched against demonstrated security issues.

      What about those of us who don't update because we're too lazy?

      --
      ZuluPad, the wiki notepad on crack
    4. Re:Already there by zonky · · Score: 4, Informative

      Yes, it's so feature compatible with adobe, they've added similar exploits! http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1104

    5. Re:Already there by andytrevino · · Score: 3, Informative

      Free as in beer, not as in speech. The article lists a number of alternatives with varying degrees of maturity and practical utility...

      For example, I'm not going to install KDE on Windows just to read PDFs, and if I'm going to recommend an alternative PDF reader to one of my Average Joe friends, customers or relatives I'm not going to have them download one without an installer or from a website whose name has nothing to do with the product (MuPDF) that looks like it was designed circa 1997. Appearance is everything, you know, which is something that I think has greatly contributed to Firefox's success: both the product and the website look smooth, classy and refined.

    6. Re:Already there by QRDeNameland · · Score: 4, Insightful

      What about those of us who don't update because we're too lazy?

      Then there's those of us who don't update because we've been burnt by updates breaking things way too many times in the past.

      --
      Momentarily, the need for the construction of new light will no longer exist.
    7. Re:Already there by DanWS6 · · Score: 5, Informative

      I was a firm believer in foxit, until I had to fill out my 1040 and related forms. Some of the fields were just screwed up. I had to cave and install acrobat. I died a little inside that day.

    8. Re:Already there by toleraen · · Score: 4, Interesting

      Exactly what I don't get of this. When tracking the adobe exploits I saw several for Foxit pop up. The guy is basically advising security through obscurity. Foxit definitely released patches quicker than Adobe, but the vulnerabilities were still there...

    9. Re:Already there by JoeBuck · · Score: 5, Funny

      What about those of us who don't update because we're too lazy?

      You might be lazy, but your computer isn't; it's been sending out spam 24/7 for a while now.

    10. Re:Already there by FRiC · · Score: 3, Informative

      Until Foxit Reader (at least the Windows version, no experience with other versions) can support Unicode, it will never replace Adobe Reader.

    11. Re:Already there by blind+biker · · Score: 3, Informative

      And what I find quite important: it renders text quite well. At least I don't see a big difference between how Foxit renders text vs. Acrobat. But, as I was saying in another post, Sumatra does a very bad job - so much so, that I feel slightly nauseated when reading documents with Sumatra.

      --
      "The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
    12. Re:Already there by jbn-o · · Score: 5, Insightful

      Foxit Reader is proprietary, no more inspectable or modifiable than Adobe's PDF reader and therefore no more trustworthy than any other proprietary software. No proprietary software is not a good solution to the problems faced with Adobe's proprietary PDF Reader. You are merely jumping from one proprietor to another.

      A reasonable recommendation is a FLOSS PDF reader such as Sumatra, Skim, or one of the other fine PDF readers recommended by PDFReaders.org.

      --
      Digital Citizen
    13. Re:Already there by TooMuchToDo · · Score: 4, Insightful

      Like Firefox? They've perfected the way they do updates.

  2. Not Much Cross-Platform by Kelson · · Score: 4, Informative

    It's interesting that of the 8 alternatives mentioned, only Okular is listed as being available across the board on Windows, Mac OS X, and (as they put it), "Free Operating Systems." (Linux, BSD, etc.) Even so, it involves installing KDE on top of Windows or Mac OS X, but at least it can be done.

    The only two-platform reader, Yap, appears to be based on GNUStep, and I don't actually see a Windows download on the web page.

    1. Re:Not Much Cross-Platform by Kelson · · Score: 4, Informative

      Doesn't Apple have their own non-adobe pdf reader built into OS X?

      Yes, Preview can read PDFs (among many other formats) well enough that I didn't even install Adobe Reader when I bought a new MacBook a few months ago. Admittedly I'm not sure how well it handles forms, but it has no problems with static PDF files.

      Of course, I doubt it's open source/free software, so it wouldn't be on this list anyway.

    2. Re:Not Much Cross-Platform by dov_0 · · Score: 5, Insightful

      I've been using Evince on Linux for years now. No dramas. Runs about 10 times faster than the Adobe Reader as well.

      Does whether a particular reader is cross-platform really matter? Most people only seem to use the zoom in/out, scroll up/down and preview pane functions anyway. Not a lot to figure out on a different system...

      --
      sudo mount --milk --sugar /cup/tea /mouth /etc/init.d/relax start
    3. Re:Not Much Cross-Platform by John+Whitley · · Score: 4, Interesting

      Yes. There's also Skim for OS X, which is far and away my favorite PDF reader for any platform. It's actually designed by and for people who really want to read, quickly search, and annotate PDFs.

      Here are two of Skim's great features that I'd love to to see in other PDF readers:

      1. Fast search with great presentation. Skim's PDF text search is blazing fast, provides a concise one-hit per line view, as well as thumbnails of the page around the search target on mouse hover. The thumbs are great for quickly winnowing down to the correct hit; you often don't need to even read the text, just the "look" is enough to know you've got the right thing.
      2. The ability to easily spin off small windows frozen to a part of a page -- great for popping open a diagram or other material referenced across multiple pages of a text.

      I do believe that Skim relies heavily on various OS X frameworks (e.g. for PDF rendering, Spotlight support for search, etc.). That definitely goes to show the value of providing functionality via general, well-conceived and well-implemented frameworks instead of being wrapped up inside of monolithic applications.

    4. Re:Not Much Cross-Platform by buchner.johannes · · Score: 4, Insightful

      The websites are the horror from a windows end-user point of view.

      Okular: no download, build descriptions?
      MuPDF: A parser description?
      Yap: That screenshot ...
      Sumatra PDF: Looks good.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    5. Re:Not Much Cross-Platform by pete-classic · · Score: 4, Informative

      Forms support is decent, but not perfect. I reported a couple of bugs I ran into filling out my tax forms this year. Specifically, I couldn't save a PDF in Adobe Reader that had form data already saved in it with Preview. And the digits didn't align correctly in the bank routing and account number fields.

      I use it frequently. My only other gripe is that the search is brain-dead. (It "ors" all the search terms. which is never what I want. Putting an "AND" between them doesn't help :-/)

      It might sound like I don't like it, but these are actually my only complaints. Very solid app.

      It's also worth noting that PDF export is built right into the print subsystem. No goofy third party print drivers. No need for individual apps to understand PDF.

      -Peter

  3. Helpfully by Anonymous Coward · · Score: 5, Funny

    F-Secure posted a PDF with exploits to uninstall Adobe Reader and install a new free reader.

  4. Acrobat: The Worlds Worst Software by gilgongo · · Score: 5, Insightful

    Acrobat utterly takes the biscuit when it comes to being the most execrably awful, arrogant, bloated, buggy, piece of software ever made, ever. And that's in a world where Microsoft exists as well.

    But as if that isn't bad enough, it ALSO ranks as the most tragic irony in *all* *computing* *history* that such a screamingly, revoltingly, tear-out-your-hair-and-become-a-monk awful software is essentially based on an open standard. I'll say that again: PDF is an *open* ISO standard. HOW did Adobe rape and strangle it to death like they did? If anyone wants an example of how unspeakably evil marketing and sharp practices can be, they need look no further than Adobe Acrobat.

    If I never used Acrobat ever again it would be too soon.

    --
    "And the meaning of words; when they cease to function; when will it start worrying you?"
    1. Re:Acrobat: The Worlds Worst Software by Anonymous Coward · · Score: 5, Funny

      the most execrably awful, arrogant, bloated, buggy, piece of software ever made, ever.

      It's called Realplayer.

    2. Re:Acrobat: The Worlds Worst Software by UncleTogie · · Score: 3, Funny

      You really think so? Let me introduce you to my Buddy, Bonzi....

      --
      Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
    3. Re:Acrobat: The Worlds Worst Software by 5of0 · · Score: 3, Informative

      But it's malware that sings! That right there makes the difference.

      --
      You all have Oo.o and Firefox, so get World Wind.
    4. Re:Acrobat: The Worlds Worst Software by H0p313ss · · Score: 4, Funny

      Acrobat utterly takes the biscuit when it comes to being the most execrably awful, arrogant, bloated, buggy, piece of software ever made, ever.

      Clearly you have not used anything Lotus has shipped in the past decade.

      --
      XML is a known as a key material required to create SMD: Software of Mass Destruction
    5. Re:Acrobat: The Worlds Worst Software by spinkham · · Score: 3, Insightful

      Acrobat utterly takes the biscuit when it comes to being the most execrably awful, arrogant, bloated, buggy, piece of software ever made, ever. And that's in a world where Microsoft exists as well.

      I see you never used Visual SourceSafe.

      But yes, Acrobat sucks.

      --
      Blessed are the pessimists, for they have made backups.
  5. For those on the go by compro01 · · Score: 5, Informative

    Sumatra PDF is also available in a portable format.

    --
    upon the advice of my lawyer, i have no sig at this time
    1. Re:For those on the go by drizek · · Score: 3, Informative

      I was introduced to Sumatra from portable apps and now use it instead of FoxIt. It does have a few issues here and there, but it seems to work better.

  6. I dropped Adobe PDF reader for a different reason by bogaboga · · Score: 3, Informative

    "Yesterday at RSA security conference, F-Secure's chief research officer recommended dropping Adobe Reader for viewing PDF files because of the huge amount of targeted attacks against it.

    I used to use Adobe's PDF reader but while running Windows XP, I got a message prompting me to upgrade my Adobe reader to the latest.

    I attempted to and the downloaded file was quite small. On completing the installation, I found out that I was stuck with a directory heavy at 200MB! Uninstalling the extras did not help matters.

    Later on, I discovered Foxit Reader. I haven't looked back and I am not worried about Adobe misbehaving for I know the would not like Microsoft to gain any traction with their XPS format.

  7. Adobe: The Worlds Worst Software Company by Anonymous Coward · · Score: 5, Interesting

    That was my response to the dreamweaver CS3 install that dumped over 800 meg of bolt-on garbarge and two new services BEFORE starting the actual dreamweaver install.

    And the new-and-improved dreamweaver was almost exactly the same as the macromedia version. They added a new CSS selector and a new tab for their adobe ajax framework. And they broke the best interakt extension. So the product went backwards, despite trending towards epic MS levels of application footprint.

    They acquired the interackt folks and I think CS4 suckers are still waiting for the supported port.

    Everything adobe touches turns to shit if you ask me.

  8. What about DRM PDFs? by Orion+Blastar · · Score: 5, Interesting

    I have a ton of DRM protected eBooks from my college. They only work in Adobe Acrobat Reader. How do I remove the DRM, or would removing the DRM so that I can use them in a third party PDF viewer be a violation of my license with the college and publishers?

    I really don't want to lose my eBook library, but I don't want to get infected either.

    --
    Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
    1. Re:What about DRM PDFs? by Anonymous Coward · · Score: 4, Insightful

      Open the file as a text file and look for the comment that says something like it is a violation of the DMCA to remove the following lines. Remove the following lines. Repeat. This is of course assuming that you don't think it's a violation of the DMCA to remove the lines in question.

    2. Re:What about DRM PDFs? by bendodge · · Score: 3, Informative

      Kpdf (part of KDE 3.5) had a checkbox to ignore DRM. I don't know of Okular (KDE 4) does.

      --
      The government can't save you.
  9. Re:nice that there was an MS rep there to pay him by moderatorrater · · Score: 3, Insightful

    using this guys logic, he should be saying to dump Microsoft and use another OS due to the large number of breakins on Windows boxes.

    Unless he thought that the cost of switching OSes was significantly higher than the cost of switching to another free piece of software on top of that OS. With Windows, people need it to do things that no other operating system can do, namely, running Windows-only applications as well as they can be run. Switching to another OS requires either dealing with emulation, a VM, or not being able to run those programs at all. In addition, there are costs in either a steep learning curve going to linux or hardware to get a Mac. Cost to change: many, many hours of learning or a few thousand dollars.

    On the other hand, as long as these PDF readers can read any pdf that adobe can, and as long as they're free like adobe is, there's no other cost. Hell, you can even have adobe installed just in case you'll need it, but make another reader the default for everything, thereby giving you the security of having another reader without any loss in functionality. Cost to change: maybe half an hour.

    In other words, your bias is showing.

  10. better -- use pdfs appropriately! by owlnation · · Score: 4, Insightful

    Actually, what would also be a huge help (regardless of reader) would be to only use PDF where it was appropriate to do so -- namely, when the end user actually needs to print said document.

    I realize there's pretty much no point in saying this, as it seems that many designers -- especially in large organizations -- seem to give little thought to the end user, and the usability of their site. (inappropriate or unnecessary use of pdf, flash, javascript, popups (still!) etc )

    I'm tired of going to a site to find that in order to find out -- for example, where an event is going to take place -- that I have to download a 3 page pdf document, one that would have been so much easier and quicker and accessible as html on a webpage.

    I'm willing to bet that, at the very least, half of all pdfs created do not need to be pdfs in the first place.

  11. Okular has no chance there ... by MartinSchou · · Score: 5, Insightful

    Okular has no chance there. Not amongst regular Windows users at least.

    Step 1 - Go to PDFreaders.org - no issue
    Step 2 - Click on "Download" on the intersection between Okular and Windows - no issue
    Step 3 - Click "Download latest installer for immediate installation. - no issue
    Step 4 - Run the KDE installer - not so much an issue, as what it does is
    Step 5 - Click Next - "install from Internet" is the default setting, sounds reasonable
    Step 6 - Select a download server - "What the hell did I just download then?"
    Step 7 - Select an available release - Ehh? Whut?
    Step 8 - Select the package you want to install - Well, that's just fucked up. 140+ packages to choose from. They're sorted by package name ONLY, cannot sort by package notes.
    Step 9 - Look for something called Okular as package name. None found
    Step 10 - "Oh, well, maybe these are packages I want in addition to Okular. I mean, I downloaded the Okular installer, right?"
    Step 11 - Click Next
    Step 12 - Installation/Update finished
    Step 13 - Realise that NOTHING has been installed.
    Step 14 - Get annoyed
    Step 15 - Call tech support (realise this is a free program and there's noone to yell at)
    Step 16 - Download and run the installer again (because they forgot where they downloaded it to)
    Step 17 - Get to the package list and start reading very carefully
    Step 18 - Wonder why the hell the package list goes Czech, Kashubian, Welsh, Danish, German, Greek, English, Esperanto, Spanish, Estonian [spelling package]
    Step 19 - Realise there's still no Okular package anywhere
    Step 20 - Read the list for the 3rd time and note that "Graphics applications" has a note "(including Okular)"
    Step 21 - Wonder why the hell the download Okular link from before doesn't give you the fucking package to begin with
    Step 22 - Notice that you're now downloading 40 (forty!) packages from the servers
    Step 23 - Notice that one of these files are 60+ MB
    Step 24 - Wonder why they call Acrobat Reader bloated and slow when that installer is less than 25 MB and takes about 30 seconds to install, just by clicking Next until you're done.
    Step 25 - Notice that you now have a folder called "Programs" in your Start menu's program folder, which is aparently a sym-link to the program folder (doesn't point to itself though)
    Step 26 - Find the "KDE 4.22 Release" folder in Programs and notice these programs:

    • Help
    • Graphics\More Applications\KColorChooser (Color Chooser)
    • Graphics\More Applications\KRuler (Screen Ruler)
    • Graphics\Gwenview (Image Viewer)
    • Graphics\KolourPaint (Paint Program)
    • Graphics\Okular (Document Viewer)
    • Network\KNetAttach (Network Folder Wizard)

    Step 27 - Wonder once more why the hell people call Acrobat Reader bloated when this program installs with 5 extra programs.
    Step 28 - Start the bloody program!
    Step 29 - KConf_update.exe would like to run. So, Acrobat Reader running its updater - Bad! This - GOOD!
    Step 30 - TRY to put frustrations aside and use the program

    That installer REALLY needs some work.

    And if you are going to have a Windows program, be as kind as to have an actual uninstaller. NONE of the KDE programs installed are listed in (Add/Remove)Programs(and Features). No uninstallers in the start menu either. I realise a lot of vocal FOSS supporters don't like Windows, but please - if you're going to advocate FOSS, at least make it live up to the LOW standards of Windows software (the non-malicious part of that group).

    1. Re:Okular has no chance there ... by LiquidFire_HK · · Score: 3, Informative

      Well, to be fair, the KDE on Windows page does say, in bold,

      KDE on Windows is not in the final state, so applications can be unsuitable for day to day use yet.

      The installer is far from suitable for end-users as well. I'm not sure why the website would link to the KDE installer without any instructions (there is no installer specific to Okular, or any specific KDE program, yet).

  12. Foxit is unsuitable by GF678 · · Score: 4, Informative

    This isn't FUD, this is based on my own experiences:

    I've found that the latest Foxit Reader is unable to show certain PDFs, in particular those created using the latest version of Adobe Acrobat. I created some PDFs in Acrobat 9 and when loaded into Foxit Reader 3.0, showed up entirely blank. The only way to view them was to put Adobe Reader on instead. So I did.

    I'm not sure why Foxit showed these PDFs entirely blank. Maybe Acrobat 9 has a new version of the PDF standard that's incompatable, I don't know. What I do know is it means that if I want to gurantee the viewing of PDF files, I pretty much require Adobe products, which isn't that bad if you're using Reader 9 (much faster than version 8).

    Possibly a vendor lock-in mechanism, but I'm tired of fighting. It's easier just to go with Adobe and get on with work.

    1. Re:Foxit is unsuitable by GF678 · · Score: 4, Informative

      One more thing I forgot to mention - I switched from Acrobat to PDFCreator a while back. It's very good, and anything I render using PDFCreator works just fine with Foxit Reader. Also has the side benefit of being open source and an example of an actually GOOD open source product. Unfortunately this doesn't discount the fact that other people might use Acrobat to render THEIR PDFs, and I don't want to cut myself off from being able to view them.

  13. Broken ones are JetForm/LiveCycle based by bigtrike · · Score: 3, Informative

    Foxit does not yet support JetForm/LiveCycle based PDFs. Neither does OSX's Preview.

    I wish people would stop using LiveCycle to produce PDFs, from what I can tell the format is not documented in the PDF ISO specification. Additionally, the newer format does not seem to provide any features that were not previously available in PDF. One can only speculate that it was done out of laziness or to thwart competition after they opened the format.

  14. This is slashdot! by Kludge · · Score: 3, Insightful

    Step 1: Don't buy anything with DRM protection.
    Step 2: Repeat.

  15. Tracker Software by eric2hill · · Score: 4, Informative

    The free PDF Viewer from Tracker Software is a wonderfully fast PDF reader, and comes with annotation capability right out of the box. They are very developer friendly, and their PDF XChange printer drivers produce PDF's that are tighter and better optimized than Adobe themselves. Great company to work with, and a great free PDF viewer.

    --
    LOAD "SIG",8,1
    LOADING...
    READY.
    RUN
  16. Re:How about a security review? by mrbene · · Score: 4, Informative
    I think F-Secure's unofficial stance is outlined best in their blog from a while back:

    we're not recommending Foxit. We're not recommending Sumatra. Or PDF-Xchange, CoolPDF or eXPert PDF. Instead, we recommend users to find their own Adobe Reader replacement. This way we get more heterogeneous userbase, which is a good idea security-wise.

  17. I'm waiting for the... by mysidia · · Score: 3, Interesting

    Adobe suggests ditching F-Secure for other anti-malware products.

    But that won't happen and people aren't going to switch PDF readers, until the security software itself starts identifying Acrobat installations as riskware and displaying dialog boxes alerting users to the security risk and what actions they need to take (what types of alternatives are available to use)..

  18. The Gimp is Cross-Platform by flyingfsck · · Score: 3, Informative

    You can edit PDFs and paste text onto forms with the Gimp. Kinda painful, but it works and then you can save the file in any format you want.

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!