Adobe Chided For Insecure Acrobat Reader

The Register covers security firm Secunia calling out Adobe for its insecure distribution practices with regard to Adobe Reader. (Here is Secunia's note.) The accusation is that the way Adobe provides Reader extends the software's window of vulnerability once an exploit has begun to circulate. Version 9.1 of Reader, which is what you get when you visit the official download site, contains 10 vulnerabilities that were patched by later releases. "Adobe Systems has been taken to task for offering outdated software on its downloads page that contains dozens of security vulnerabilities, several of which are already being exploited in the wild... Visitors who obtain Adobe Reader from the company's official downloads page will find that it installs version 9.1 of the program on their computers, even though the most recent version was 9.1.2 at time of writing. That could put users at considerable peril given the number of vulnerabilities fixed in the two iterations that have come since 9.1, complains Secunia..."

third!

third!

What?

There's a version without vulnerabilities?

Re:What?

[Jurily]

There's a version without vulnerabilities?

Yeah, the experimental branch called Foxit Reader. I heard it's a lot faster, too.

Re:What?

Kaan | | Maki-Naci | Peynirci Salih

Re:What?

[Kozz]

Gesundheit.

Re:What?

[dasherjan]

I never understood why a simple PDF reader needs to have enough access to a system that the vulnerabilities that are in the Adobe Reader could even exist. Of course I only use a PDF reader to actually read the file. I guess there are some âoesuper eliteâ things to do with Adobe Reader that I have no clue about.

Re:What?

Just read PDFs using nothing more than a hex editor and a copy of the PDF specification, which unfortunately for you is distributed as a PDF file.

Re:What?

Foxit is not failproof. One of my clients uses very, very detailed files in PDF showing many, many, many lines, shapes, squares and polygons (they're commercial real estate site plans). Foxit simply runs out of steam when rendering these and quits.

Or it takes 55 minutes to print a 35 page PDF...

Whereas Adobe 8 (or 9) will print / render the same in about ... 10 seconds

Re:What?

I just wish they would get their act together and write their software to have a functional update feature that doesn't require admin privileges. There is nothing they do that should require them monkeying around in the non-user part of the registry (and really they don't need to be there).

We complained that Microsoft didn't implement proper user access controls. When they do non of the software developers bother write their software to use it (Microsoft included) and non of use turn it on because of that.

Huh?

[CarpetShark]

Just about every binary distribution on windows is doing something similar these days. Short of someone building a proper, open, distributed, secure package manager for windows, they're probably doing the best they can by having updates at all. It's better than having to go check the webpage for corrections.

That said, if this kind of complaint becomes more common, and all software is seen as flawed in this regard, then it'll be a great push towards proper package management on windows.

Re:Huh?

[moon3]

proper, open, distributed, secure package manager for windows

I still very much prefer the Internet to be the download system for Windows applications, where authors have control and choice over their distribution channels.

Re:Huh?

[DavidRawling]

The thing is, they (Secunia) have a point. Why are Adobe offering the old version, and requiring updates post-installation, for a version that is known to have serious issues.

Let's face it, people install it because they want to view the PDF file they've just received, or downloaded. They're not going to be conscientious about updates because they just downloaded it and they expect it to be up to date. Let's not forget that plugins have pretty much always worked that way (eg Flash).

Re:Huh?

[rysiek]

The problem is not that there is no package manager, automagically updating the packages; the problem is, on Adobe Reader's official download page there is an outdated version featured. So everybody that get's directed to that page through google search or whatever, dowanloads and installs an unpatched, vulnerable and exploitable version. Cheers

Re:Huh?

Just about every binary distribution on windows is doing something similar these days.

Um, no. The issue here is that the download available from Adobe's web site is not the most recent released version of Adobe reader (e.g. you still download 9.1.0 even though 9.1.2 has already been released). I really can't think of any other software where this is the case. If you download Firefox you get version 3.5.1 not 3.5.0, if you download Java you get version 6u14 not the original release of Java 6.

Re:Huh?

[compro01]

His suggestion by no means precludes your desire. Take APT+synaptic (or whatever GUI frontent you like, or just the command line if you want.), for instance. nice centralized way to get and update programs. But if you want to host .deb files on your own site and not deal with repositories, that works fine too.

Re:Huh?

[MichaelSmith]

If Adobe didn't want to continually change the released version they could change the installer once to check for new versions.

Re:Huh?

[bheer]

Indeed. And given that Windows Update already exists, and given that Microsoft is antitrust-law bound to allow everyone equal access to Windows, why not open up Windows Update to allow it to update all your apps? Microsoft Update (an extension to Windows Update) already updates things like Office, .net, silverlight, etc. So why not publish a white paper on how to get your app included in Windows Update in a fair, non-discriminatory manner?

(Alternatively, folk could band around the open-source GoogleUpdate backend. These days it doesn't even run all the time.)

I for one would love to see the end of lots of different *update.exe apps running on the average user's computer.

Re:Huh?

[Runaway1956]

sudo apt-get remove windows

Re:Huh?

[jonwil]

Even if Windows DID have a proper package manager (from Microsoft or anyone else), many companies would not want to use it since it takes away control over certain things. For example, Norton checks your serial number and details against the database of valid licenses before it will download any updates (so pirates cant crack it to get it to pull virus updates that they havent paid for) The updater for Apple products always tries to convince you to install the products you dont have (if all you have is Quick Time, it tries to push you to install iTunes and Safari as well, which is why I dont have Quick Time on any PC I own)

Re:Huh?

If I were to download a popular linux distribution, will the CD install the latest patches; or is it better to install your packages from the repositories rather than a disc?

Re:Huh?

[Spit]

All they can? Are you fucking serious? How about not coding such shitty software in the first place, for starters.

Re:Huh?

[Spit]

Ubuntu installer will download all the patches before rebooting to the installed system.

Re:Huh?

[jonwil]

I have the following updaters running on my system:
Miranda IM (built into the program and just opens the URL to the new full-installer in the default browser)
AVG (built into the resident parts of the program)
Acrobat Reader Updater
Sun Java Updater
Microsoft Update (set to not download automatically since I prefer to have choice in which updates I install)
various games (most of which check for updates when I connect to the online bit)

Conversely, there are programs I wish DID have automatic updaters:
SeaMonkey (my copy of 1.1.x doesn't seem to have one)
Nvidia Display Drivers (the only way to go seems to be manual download or via some widget that SM1.1.x doesn't support)

Re:Huh?

[mlts]

Maybe Microsoft could have this as part of the Windows Logo requirement. This could be implemented in two ways:

The first is actively hosting all updates. The problem with this is that it would require very large amounts of bandwidth, so there would have to be a revenue stream to Microsoft for them to be able to do this and remain profitable.

The second is having a pointer to the vendor's download URLs for a file. This is a lot easier, but still requires some added infrastructure and bandwidth. However, third party utilities like Secunia's PSI are able to hunt down and point out outdated/insecure versions, so it wouldn't be too onerous for a central switchboard for application vendors to have one place for update checking. Acresso (formerly Macrovision) has this functionality in their FLEXnet Connect product.

Re:Huh?

[bheer]

Windows Update has been distributing display drivers for some time, but the driver provider has to have a deal with Microsoft. It's really convenient - on Windows 7, WDDM display driver updates don't even require a restart. I wish more driver manufacturers made sure their product was distributable via WU. An open API to WU would make things so much simpler.

Re:Huh?

[CarpetShark]

I really can't think of any other software where this is the case.

I've seen plenty. It's also what happens just about every time you install from a retail package. And that's the GOOD software that has updates at all.

Re:Huh?

[CarpetShark]

(Alternatively, folk could band around the open-source GoogleUpdate backend. These days it doesn't even run all the time.)

I didn't know this had been opened up. Thanks for the pointer :)

Re:Huh?

It's also what happens just about every time you install from a retail package

Only if from a disk, where the media it's on is the issue. There simply is no excuse for not doing it when distribution is via the internet.

Re:Huh?

LOL! Good one Runaway1956! Laughed until I cried.

Re:Huh?

[mrsurb]

sudo apt-get purge windows

There - fixed that for you. Just in case.

Re:Huh?

[hairyfeet]

As a PC repairman I hate to break the news to y'all, but home users never update the damned PC. you could give them Apt and it would be just one more update they don't actually use. I have had machine come across my desk with 4+ year old copies of Norton AV (expired of course) and not a single update applied since it left the factory. That is just SOP for a good 90% of home users.

That is why my customers love me so much, because my motto is "do the thinking so they don't have to". So not only do I use Autopatcher to install all the current updates and have the latest service packs as well as set autoupdate for the OS, but I install Foxit set to autoupdate, have Spybot scheduled to autoupdate and scan, install Comodo AV/Firewall and have it set to scan on the customers schedule, install Firefox and set it to be the default browser, install the latest Flash and Shockwave and Java as well as Klite Mega codec pack so I don't have to worry about them downloading dodgy codecs, and finally install VLC Player which autoupdates and have it set as default video player.

While I don't get the return business of those that just reinstall and hand it to the customer to bone again I make up for that in referrals. But thinking something like Apt would be a silver bullet for home users is strictly a fantasy. First it would have to be run by MSFT to incorporate the Windows patches as well as third party updates, which would lead to vendors screaming and probably an antitrust investigation and I'm sure the EU would find a reason to have a shitfit, but then MSFT would get to deal with 3 or 4 years worth of lawsuits when they refuse to "provide" the myriad of programs that insist on installing toolbars or unrelated programs, like Java (toolbar) or iTunes (unrelated Safari and Quicktime).

So while having a central repository works for Linux, it simply would never work for Windows. Between trialware, crapware, toolbar installers, and unrelated installers you would either make it a one stop shop for crap which means the users would never allow it to run, or MSFT would spend the next decade in court for refusing to allow crapware into the repository. So sorry, it just wouldn't work.

Re:Huh?

[bheer]

Indeed, that is exactly what the IE7 and IE8 installers do. So even if someone burnt an old version of IE7/8 to CD and distributed it with a magazine, anyone installing it with a net connection would automatically get updates.

Re:Huh?

[TheP4st]

MSFT would spend the next decade in court for refusing to allow crapware into the repository. So sorry, it just wouldn't work.

Must.. resist... urge... to... make... joke... about... MS.. and.. courts... and... crapware

Re:Huh?

apt-get fucked

Re:Huh?

[jgrahn]

But thinking something like Apt would be a silver bullet for home users is strictly a fantasy. First it would have to be run by MSFT to incorporate the Windows patches as well as third party updates, which would lead to vendors screaming and probably an antitrust investigation and I'm sure the EU would find a reason to have a shitfit, but then MSFT would get to deal with 3 or 4 years worth of lawsuits when they refuse to "provide" the myriad of programs that insist on installing toolbars or unrelated programs, like Java (toolbar) or iTunes (unrelated Safari and Quicktime).

So while having a central repository works for Linux, it simply would never work for Windows. Between trialware, crapware, toolbar installers, and unrelated installers you would either make it a one stop shop for crap which means the users would never allow it to run, or MSFT would spend the next decade in court for refusing to allow crapware into the repository. So sorry, it just wouldn't work.

How about a standard place in Windows where a newly installed program could register itself? Like, "I am FooBar version 69, and updates to me will be available at http://foobar.org/blah and signed with this public key". Then you could have a machine-global Update Everything button go through them and do updates as needed. Doesn't solve dependency trackning though.

(Not that I care -- it's the Windows users' problems, not mine.)

Re:Huh?

[Gnavpot]

But thinking something like Apt would be a silver bullet for home users is strictly a fantasy. First it would have to be run by MSFT to incorporate the Windows patches as well as third party updates, which would lead to vendors screaming and probably an antitrust investigation
[...]
So while having a central repository works for Linux, it simply would never work for Windows.

It is obvious that your statement is based on a lack of knowledge of apt.

Apt does not depend on a central repository. Yes, there is a central repository for the distribution's official packages. No, you are not limited to using this repository.

Any software vendor can set up an apt repository, and you can add that repository to /etc/apt/sources.list including keys for signed packages.

In the Windows version, this would mean that an installer for a third-party program could add keys and download information to an update service running on the local PC. MS would not need to be involved at all - but they would need to make an updating routine with an open interface.

Re:Huh?

[Opportunist]

I try to refrain from thinking too hard how to abuse this ... too late.

Re:Huh?

[Opportunist]

Easier said than done. You're not in OSS land here, you're not dealing with a program designed, envisioned and projected by programmers. You have a beancounter and a manager who want that program on the street before their quarter report is due.

It's not that the shipping date is when it's done. It's done when the shipping date rolls over.

Re:Huh?

[Threni]

> If Adobe didn't want to continually change the released version

How many versions are they releasing?

Never mind the installer - why doesn't the program itself check each time it's run, like Firefox?

Re:Huh?

[commodore64_love]

>>>As a PC repairman I hate to break the news to y'all, but home users never update the damned PC. you could give them Apt and it would be just one more update they don't actually use.

I don't update my PC.

It's because I no longer trust y'all.

Too many times I've installed updates from Mickeysoft or Exploder or various Firepox Addons (think noscript), only to discover the latest update was, itself, broken. i.e. My computer stopped doing what it used to do. Why would I want to accept revisions of software that's going to make my machine stop working? "If it ain't broke, don't fix it" has become my philosophy because I'm tired of getting updates that break things.

Aside-

There was a time when we didn't have the internet and software shipped on floppies or CDs, so programmers were expected to get the software working 100% out the door. No second chances. i.e. The same constraints we hardware engineers have to deal with - get it right out the door.

Re:Huh?

[commodore64_love]

Package managers? APT+synaptic?

I wish I knew what ye were talking about. (shrug). I don't see anything wrong with the current model of having each program "phone home" and check for updates when you run it.

Re:Huh?

[commodore64_love]

"Hello. I am SpyBot version 42, and updates to me will be available at http://nigeriaisafunplacetosteal.com/ and signed with this public key."

There has to be some oversight from Microsoft to prevent this from happening, and we know from Apple's iPhone approval/disapproval process how well that does Not work.

Re:Huh?

[BumbaCLot]

I think you completely missed the point.
Adobe is a huge company, with tons of resources, and they are shipping TODAY an insecure version that is the cause of most zombied / spyware infested computers in the past few months.
All they have to do is put the patched version on their freaking download page!

Re:Huh?

Could probably just put an extra key, subkeys, and set of values in the windows registry, and have the existing windows update site call those...

HKLM\Software\Updates\%PROGRAM_NAME_OR_GUID%

String Value - UpdateURL

DWORD Value - AppVersion

Sure, you could say that a malicious program could tamper with this, but really, malicious programs tamper with the registry, and the ability for windows and antivirus programs to update ALREADY...

Re:Huh?

Klite Mega codec pack

You shouldn't be allowed near a PC again. Wasn't the one true codec pack to rule them all supposed to be CCCP? Well, until the next person decides to solve the problem of too many codec packs once and for all by making another, bigger, better codec pack.

Why don't you also install bonzai buddy, comet cursor and smiley central while you're at it.

Re:Huh?

No. A SpyBot which can register itself at that level has already the capabilities to update itself. I fail to see the problem.

Re:Huh?

[bberens]

I have a cron job running on my linux machine which gets the latest version of everything every night at 2am, so I'm virtually always on the latest version available. Instead of having one updater tool for each application, having one updater tool that looks for updates to hundreds of potential apps you may want to install would be a much better use of resources on my PC. And the default installation setting for this Windows tool should be "auto-update once per week" or something.

Re:Huh?

[Cid+Highwind]

I don't see anything wrong with the current model of having each program "phone home" and check for updates when you run it.

I do. If something like Adobe Reader only checks for updates when you use it, and you rarely use pdf documents, it will sometimes fall a few versions behind. Then when you encounter a web site that embeds some pdf-exploit-of-the-week, your system gets pwnt while Reader is still waiting to hear back from the update server.

Most vendors' cure for that: to install yet another goddamn advertising-laden, disk-thrashing, login-delaying updater with yet another tray icon that wants attention all the time, is sub-optimal to say the least.

Re:Huh?

[arndawg]

MSFT would spend the next decade in court for refusing to allow crapware into the repository. So sorry, it just wouldn't work.

Must.. resist... urge... to... make... joke... about... MS.. and.. courts... and... crapware

Must... try.... to.....make.....up ..something....funny...but...i'm..not..able...to...so..i'll..just ...pretend ...that... i ...dont... want.. to..

Re:Huh?

The problem is not that there is no package manager, automagically updating the packages; the problem is, on Adobe Reader's official download page there is an outdated version featured.

Some of us do actually want the old, outdated versions for compatibility testing. I would be very annoyed if old versions weren't available.

But the DEFAULT should be to download the up-to-date, fully patched version.

Re:Huh?

[PitaBred]

Yes, each application having it's own updater code. That's a brilliant idea! Much more memory and CPU time used, many more places for exploits to happen since each one of them has different network code... the fun is endless!

Re:Huh?

Guess the mods are equally sleepy.

Since any Windows application can already register a background update service, it certainly couldn't be any worse than the existing situation.

Re:Huh?

[ComputerizedYoga]

There was a time when we didn't have the internet and software shipped on floppies or CDs, so programmers were expected to get the software working 100% out the door. No second chances. i.e. The same constraints we hardware engineers have to deal with - get it right out the door.

Broken releases that need to be updated in the first couple days out are definitely problematic, as are regressive patches, but the "good old days" when people weren't expected to have internet connections to update stuff still had their (numerous) vulnerabilities.

Writing secure code is hard. In particular, writing code that protects against whole classes of attacks that weren't even around when you wrote your code is ... challenging, to say the least.

While it'd be nice if some of the worst offenders spent a little more time on QA before they start pushing "gold" releases, expecting perfection in nontrivial software at release time, or any other time, is a joke.

And hardware manufacturers aren't immune to that either. Why do you think BIOS and firmware updates and microcode patch mechanisms exist for most nontrivial hardware devices?

Re:Huh?

[ACMENEWSLLC]

And then when a patch for Adobe does come out, as an Admin of 600 PC's I have to use Adobe's somewhat broken Update mechanism inside reader to update it. They don't release an MSP patch for SUS/Zenworks deployment until weeks later.

They do need to fix this. Also, how often do you install a piece of software only to end up with Adobe reader 3.01, or 5 installed with it even though you have 9.1.2? That is an issue to.

Sun Java needs to fix their broken updater too. Check out http://secunia.com/advisories/35853/ then realize that I'm the Java updater's not detecting that there is a Java 6 build 14 released. I have to manually go out and download build 14. And when I do that, I'm still left with vulnerable versions of Java 3, 4, 5, and 6 builds 0-4 installed. WTF?

Re:Huh?

[commodore64_love]

As a hardware engineer I hate the rise of firmware. I'm used to the old paradigm where you buy a VCR or TV, and it "just works". No updates needed because it's spent several months in debugging, and arrives at your door with virtually no flaws. I've got a TV that's 30 years old and a VCR that's over 20 and a CD player that's around 15 years old. They never, ever needed an update in all that time.

But now we have lazy folks like Sony or Toshiba putting-out Bluray or HD DVD players that require upgrading every month, else they won't play the latest movies. That's just stupid. If this trend continues the consumer will be expected to spend several hours on the 1st of each month to upgrade their TV, their DVR, their DVD/Bluray player, their Fridge, their Stove, their Microwave, their Clock, their Phone (both wired and wireless), their playstation, their xbox, and on and on and on.

People already complain Daylight Savings Time is a hassle - this new firmware instead of hardware world will be a hundred times worse. Engineers - stop being lazy and saying "we'll fix it later". Marketers - stop setting unrealistic schedules thtat don't allow time for testing. Make it work the FIRST time without needing patches. Quality control should happen in the factory, not the consumer's living room.

Re:Huh?

[TheP4st]

Or the available material just make it too easy, so I referenced to two Alice quotes:

"Must..control...fist...of...death"

"I can't resist the urge to beat myself senseless on your table"

Disclaimer: I'm not entirely certain that the last one is Alice. But, it certainly is from Dilbert.

Whoosh?

Re:Huh?

[commodore64_love]

Good point.

(removes Adobe)

Re:Huh?

[commodore64_love]

P.S.

I think the next time I encounter a "this movie (or game) won't play without firmware upgrade" error, I'll just pretend to be your typical ignorant consumer, and call Sony for help. If they're going to waste my time with monthly upgrades, then I'm going to waste their money with expensive telemarketing calls each time it happens.

Maybe it will drive them to get it right the first time, eliminate consumer callins, and thereby cut costs.

Re:Huh?

I would probably use...

sudo dd if=/dev/random of=/dev/sda1
sudo mkfs.ext3 /dev/sda1

Of couse, if=/dev/zero would also work, and even better, DBAN. ;)

Re:Huh?

[sgtrock]

But now we have lazy folks like Sony or Toshiba putting-out Bluray or HD DVD players that require upgrading every month, else they won't play the latest movies.

That's just DRM working as designed. It's a feature! Ain't it great?

That's just stupid.

I couldn't agree more.

However, the rest of your concerns don't really fit all that well. We live in a world that is orders of magnitude more complex than what we grew up in. Much (most? virtually all?) of that complexity is due to features provided through software. All that complexity means that human errors will inevitably creep in no matter how much testing the developers do ahead of tiem. Therefore, in today's world having an easy to use (better yet, automatic!) update tool isn't just a nice to have feature, it's a necessity.

Finally, I will challenge your assertion that all products in the past never needed updates. Ever work on the monstrosity that was the engine in a Fiat Spyder 850? Try to sync the carbs in a '70s model MG Midget? Do a tune up on an early model Yamaha RD motorcycle? Heck, just open the door on a '97 Ford F150?

The reality was that successful companies figured out ways to update their models to eliminate flaws found in their older lines. They never had an easy way to go back and retro fit those earlier models, though. So, while things sometimes Just Worked, sometimes they didn't.

Re:Huh?

[hurfy]

Even if they want to they would have to try pretty hard to update some of it. 2nd computer has Acrobat reader 7 on it. If you click check for updates it gives me some language pack. Umm...no mention of the other 20 versions between 7.0 and now! Like someone else mentioned, it is entirely possible to accidentally get an old version installed along with something else. Joe Sixpack certainly is not going research what version it should be if the update button can't be bothered to figure it out.

Re:Huh?

[wastedlife]

I was going to post this same thing. Also, if they make it like regular Automatic Updates, it would do the checking, downloading, and installing on its own. In fact, you can adjust it so it only checks and informs you of updates if you are paranoid, or checks and downloads but not installs if you don't want to be annoyed by the "You need to reboot NOW!" messages every 5 minutes while you are in the middle of working. All Microsoft would need to do would be to open up the protocols for the update server and add the ability to let a program add its own automatic update repository and key.

Re:Huh?

As a PC repairman I hate to break the news to y'all, but home users never update the damned PC.

Selection bias. The only people you see to begin with are those that a) are not technically inclined and don't know anything about computers, b) don't have any friends/relatives that do, and c) DID manage to have their systems fucked up somehow.

Any home user who knows a bit about computers is much less likely to be your customer. Any home user who has a friend or relative that helps them with this is quite unlikely to be your customer. And any home user who, despite everything, manages to keep their system clean and working is not your customer.

Re:Huh?

While your at it, why don't you install a few IE toolbars to go with all that crap.

Re:Huh?

[BitZtream]

Whats wrong with the iPhone approval processes? Just because you saw some twit blog about it doesn't make it true.

They have like 50k apps in bearly over a year. You know what, you are right, the process is failing miserably because a few douchebags with some app that Apple didn't want included have big mouths and have been picked up by some blog.

If the App Store is done 'wrong' or 'bad' then I pray to god that I can elevate my own business to the 'wrong' or 'bad' stage, I'll be rich bitch.

Re:Huh?

[CarpetShark]

I think the whole argument is ass-backwards, to be honest. Software will ALWAYS need updates, no matter how fresh it is when you install. With the move to ever more online software, like MMOs, financial apps which integrate with websites, thin-client webapp frontends, etc., this is even more true lately. To start from a position of assuming that updates are bad or should not be expected is just stupid. What we need to do is focus on getting a modern, secure, comprehensive update system for all major OS's.

Re:Huh?

[wastedlife]

I've read that using dd to write straight zeros is actually more effective than even using a full Gutmann wipe with DBAN. And now that I've said this, I can't find the article with just a few google searches and don't really feel like looking further. Then again, nothing quite beats a large hammer and/or some explosives.

Re:Huh?

[wastedlife]

Certificates. When a user purchases software, issue them a certificate that is added to the package manager along with the repository location and its signing key. Configure your repository server to not issue updates if the user's certificate is either revoked, expired or invalid. Although one thing I believe probably should have its own updater would be antivirus/antimalware because you may want that on a separate schedule from your usual updates. For example, I may want my applications to update weekly or monthly, but my antivirus signatures to update daily or hourly.

Re:Huh?

[hairyfeet]

And how long before every piece of malware on the planet exploited it and you would have antispy programs disabling the reg key? the only way a central updating Apt style thing would work is if you had a gatekeeper like you do with central repos making sure that malware wasn't abusing the system.

Since it would have to be integrated with MSFT update (or else you could just use one of the many third party apps that will look for old versions for you) that would make MSFT the gatekeeper. Then comes the lawsuits from all those apps wanting to install toolbars and other crap (hell even Java tries to install a fricking toolbar now) MSFT would get to spend the next decade in court over it by refusing apps or allow it in in which case users would simply disable MSFT update for fear of getting crapware.

The simple fact is the reason these ideas won't work is you are trying to use Linux conventions on a MSFT OS. Linux simply doesn't have every fricking program under the sun trying to install toolbars, it doesn't have the huge amount of spyware, malware, crapware, etc that MSFT OSes have. And since MSFT has already been busted under antitrust anything that gives them more power would pretty much automatically generate a lawsuit and have the EU having a royal shitfit anyway.

And as for the ones that brought up the Apple App store? Oh please. They have....what? 50k apps in there? Imagine that jumped to 30 to 40 million overnight, with half of them wanting to install toolbars, and with thousands more demanding entry or they'll sue every single day. How long do you think Apple could keep up? Either MSFT would just have to leave it an open door, which as I said would be taken by the malware writers almost immediately and made worthless, or MSFT would have to sift through all those Windows programs, checking each one and publishing a list of things not allowed (like toolbars or unrelated downloads) which then Apple and Sun and everybody else would then sue them over. Because if you use OSX I doubt you know that Apple tries to shovel Safari and iTunes when you try to update Quicktime on Windows. So Apple is just as guilty as Sun and all the others trying to install toolbars and unrelated crap in Windows.

I'm sorry, but it just wouldn't work or MSFT would have done it already to give themselves another bullet point against Linux.

Re:Huh?

[hairyfeet]

Hey, if I had my way it would just be VLC and done. Sadly there are many customers that insist on using WMP no matter what. So by using Kilte Mega ( which I eat my own dogfood and test it on my own machines and it does allow WMP to play just about anything a user is liable to run into) I am able to tell them "if something says you need a codec it is a lie and is spyware. Do NOT install!" and am able to cut down on virus infections.

Of course if it was a perfect world I'd be able to give them Noscript and they would actually learn to use it, thus wiping out JavaScript related malware, but until NoScript makes an "easy" mode where there is just a "play the video" button I have to stick with what works for my customers. You know the customer is always right, even when they are wrong. if they insist on using WMP for everything then the least i can do is make sure WMP works out of the box.

What would you suggest I do, give them nothing and let them install every fucked up untested codec in WMP themselves? Would probably get me more repeat business but I take pride in my work. When I set up a PC it is done, and short of them ignoring every warning just to see the bunnies a machine built/fixed by me will "just work" out of the box and keep right on working, no thinking required.

Re:Huh?

[wastedlife]

I grant that MS would need to walk on eggshells here to prevent even more lawsuits, but I can't see how it wouldn open the door to malware any more than any other update mechanism for Windows. Not doing something just because it is possible (not even that it increases the risk) for it to be exploited would mean nothing would ever get done.

As for toolbars, they should stick with the current MSI/MSP model. When you install using an MSI file, there is normally a section asking what sections of the application that you want to install. When you run an MSP over that, it only updates what was installed. This means if you said no to the toolbar on the first install, the patch will not install the toolbar either. If the user goes to the Add/Remove Programs and chooses Modify, they can install the other sections of the application, like the toolbar. If a new feature is added, a mechanism should be put in place to prompt the user if they want to install this new toolbar/widget/dancing bear. Its probably possible for an MSP to force the toolbar, but that is not MS's fault, it is an application maker that is ignoring user preferences. If an application maker did this to me, I would stop using their app.

To counter the argument that this would give MS more power and lawsuits to follow, they would probably have to make this optional for the application to us. Not having to write and maintain your own updater should be a pretty sufficient reason for an application maker to use the updater. It also will mean users are more likely to keep their programs up to date and they will have less support cases about issues already fixed by an update.

I do agree that the Apple App store model would be terrible, especially since that means MS would need to host and control the single repository. This almost certainly would lead to lawsuits, and would add a huge burden of overhead for them to maintain.

Re:Huh?

MSI manifests already include the products' tech support URL, so I think things are moving in this direction. There really does need to be a centralised update mechanism for ordinary users though.

Re:Huh?

[PhunkySchtuff]

(Not that I care -- it's the Windows users' problems, not mine.)

Well, if I were you, I'd care as these Windows users who don't update are running the botnets that end up putting spam in yours and my inboxes...

Re:Huh?

[PhunkySchtuff]

The level of complexity involved in something like a bog-standard CD player as compared to a Bluray player is a world of difference.
A CD player needs to load a tray, see if there's a disc in it that it recognises and play back red book audio. If you're lucky, the engineers will have implemented a shuffle and a track programming mode. This is pretty basic stuff and can be done with a simple microcontroller.

A Bluray player on the other hand is a full-blown computer, it has it's own operating environment, has to be able to handle red book CDs, DVDs, Bluray discs etc. It will probably also handle stuff like discs burnt in various data formats, High Sierra, Joliet, UDF etc with MP3s, Divx, JPEG etc on them for convenience. They also have a complete Java based virtual machine implementation, graphical menus for configuration, and a whole lot more.

While you update the "firmware" on these machines, it's only firmware in the vaguest sense of the word - it's really software and it's a complete operating system for them with a LOT greater chance of errors slipping in, vulnerabilities needing to be patched, DRM needing to be updated etc.

I'm not a programmer, but could with a bit of work write some software that would be provably correct to handle a CD player. I wouldn't even know where to start with something like Bluray...

Re:Huh?

Your reply is clear, concise, thoughtful and well-informed. It was a pleasure to read, a rarity among AC posts.

Now, cut it out! You're giving the rest of us AC posters a bad name!

Re:Huh?

[Gnavpot]

And how long before every piece of malware on the planet exploited it

If a piece of malware can exploit an auto update service, that malware is already running. And not just running - it is running with administrator privileges.

If you have malware running on your system with administrator privileges, you have already lost. If that malware wants to download and install more malware, it can do so very easily. It certainly doesn't need an auto update service to accomplish that.

Re:Huh?

They don't release an MSP patch for SUS/Zenworks deployment until weeks later.

Did you know that you can create your own patches and deploy them? As for things such as a broken Java installer, and multiple versions of Java installed, if you're not building and maintaining your own base computer images, you're an idiot, just as you are if you *know* that there's a problem with Sun's installer, but don't uninstall old versions of Java before installing the current one, or don't do installations of software onto a test computer to see what gets installed and what effect, if any, it has on your systems.

It sounds to me as though you're not a very good administrator. But, you do whine an awful lot, so you fit in here really well.

Re:Huh?

Further reason why DRM needs to be killed with fire. It would substantially reduce the complexity and number of errors.

Re:Huh?

[mjwx]

Indeed. And given that Windows Update already exists, and given that Microsoft is antitrust-law bound to allow everyone equal access to Windows, why not open up Windows Update to allow it to update all your apps?

Because I get enough blue screen loops from Microsoft security updates alone. I cant trust them to test their own updates properly, let alone someone else's.

Re:Huh?

[lennier]

No Google Updater or Apple Updates?

Re:Huh?

[mrdtr]

Yeah if Microsoft did this, we would get all the MS fanboys saying how great it is. Oh and how they'll twist it some way into Linux stole that idea from Windows. LOL

Re:Huh?

[jonwil]

I have no Apple software installed (and will not do so as long as Apple continues to push me to install iTunes and Safari every time there is a QuickTime update) and I dont have any Google software installed either (or if I do, it doesn't install the Google Updater)

Re:Huh?

[commodore64_love]

>>>They have like 50k apps in bearly over a year.

And that's the flaw. In a free market that doesn't require Central Economic Planning (aka apple approval), that number would be 100 times bigger.

Re:Huh?

[ACMENEWSLLC]

Haha., sounds like you are just an a-hole who does not get the point.

I do this. I have multiple test VMs so I can test and snapshot my updates. I have a large batch file to uninstall previous versions of Java, and delete the left over .cabs in ALLUSERPROFILES. I do all this crap. I spend an absurd amount of time doing it. I Wireshark what the built in Adobe update is downloading so I can grab it and install it via Zen since it's not immediately available on the Adobe redistributable site.

What about software like Console One or Websphere which installs ancient versions of Java into non standard locations?

Other vendors release proper updates. Why can't Sun and Adobe?

Adobe Reader has always been bad for this.

[BikeHelmet]

Adobe Reader has always been bad for this - even back when it was called Acrobat Reader.

Aside from having dozens of different versions installed - whatever version you installed was always out of date, unless you started it up(which took ages), and clicked the Check for Updates button. Then it'd tell you you're out of date. You download an update, it restarts, and then you do it again... and it downloads another update. It installs the update, and restarts, and then you do it a third time to check for another update.

After all, jumping from 8.1 to 8.1.3 is much too large of an increment. Each version must be applied incrementally, and it's completely illogical to download every required update at the same time.

Ahh... the fond memories! It takes me right back. Now I remember their artificially slow installers, that did nothing for minutes on end just because of your OS. Such pleasant times!

Re:Adobe Reader has always been bad for this.

[bheer]

That's bothered the heck out of me too! It's almost like Adobe doesn't have a clue about doing proper updates. They should really pay some guys from Mozilla to come and teach 'em. Say what you like about Firefox, it was the first Windows product I've used which devoted a good deal of engineering thought to making updates easy.

Re:Adobe Reader has always been bad for this.

I've heard (it may be just a rumor, can't say for certain) that Acrobat Reader was originally developed using aborted fetuses, glue and AIDS. Still I don't know if it's true or not but it could help explain why it sucks horse dick.

Re:Adobe Reader has always been bad for this.

[pedestrian+crossing]

Say what you like about Firefox, it was the first Windows product I've used which devoted a good deal of engineering thought to making updates easy.

Not enough, apparently.

Where I work, they are about to remove the 'fox from all systems because updates make it the default browser, even if it wasn't the previous default. There is currently no way to prevent that from happening.

Not exactly enterprise-friendly behavior...

Re:Adobe Reader has always been bad for this.

[Nerdfest]

They seem to have had Windows developers in to teach them about writing secure software.

Re:Adobe Reader has always been bad for this.

[bheer]

Does it do that? I use Firefox at work and it auto-updates, but IE7 is my default (for intranet apps). But yes, it is enterprise unfriendly - there's also the small matter of *still* not providing official MSIs and an offical admin/customisation kit.

Still, Firefox's update is amazing for home users. You can be reasonably sure that a majority of home users will be running the latest version within days, thanks to its silent, no-fuss approach to updating. And it works without a ridiculous FirefoxUpdate.exe running constantly in the background.

Re:Adobe Reader has always been bad for this.

[jonadab]

> even back when it was called Acrobat Reader.

Clear back then, huh? What was that, a whole two years ago?

Kids. Sheesh.

Re:Adobe Reader has always been bad for this.

[bheer]

What's funny is that things would be better if that was true. An auto-updated Windows install is pretty secure out of the box these days. Microsoft's SDLC (Secure Development Lifecycle) seems to be showing results -- haven't you noticed how the attack surface of choice on Win32 tends to be apps/plugins these days? (or unpatched Windows installations).

Adobe meanwhile looks like it's dev practices are stuck in 1999.

Re:Adobe Reader has always been bad for this.

[jonadab]

> Say what you like about Firefox, it was the first Windows product I've used
> which devoted a good deal of engineering thought to making updates easy.

And they got it wrong. Badly wrong.

Firefox updates don't happen, EVER, unless someone logs into the computer under a privileged administrative account. On a normal desktop computer, that shouldn't need to happen on a regular basis.

Assuming the administrator who does the install doesn't uncheck the auto-update checkbox, the updates should happen automatically, in the background, whether there's even a user logged in or not, *completely* irrespective of what privileges the logged-in user does or doesn't have.

Granted, Symantec and Microsoft are barely better at this. They theoretically have their updates set up to happen automatically in the background, but then about every third update or so there's one that won't, until an administrator logs in and does the update manually. In Microsoft's case, this is usually because the update wants to prompt the user to agree to yet another pointless EULA. I have no idea what Symantec's excuse is.

Re:Adobe Reader has always been bad for this.

[colfer]

Firefox 3.0.12 updates to 3.5, when you ask for updates. Then if you ask again, you get 3.5.1, to fix the critical security bug in JIT.

Re:Adobe Reader has always been bad for this.

[pedestrian+crossing]

Does it do that? I use Firefox at work and it auto-updates, but IE7 is my default (for intranet apps).

It does if you push the update. Unfortunately, where I work they can't allow auto-updates. Again, very enterprise unfriendly...

Re:Adobe Reader has always been bad for this.

[bheer]

I agree it's not perfect. But for the most common use case -- home users who use XP/Vista in the 'usual way' -- it got things right.

I can actually appreciate how Google Chrome installs into %appdata% to avoid requiring admin access to auto-update. But somehow installing apps to %appdata% feels so ... wrong.

Re:Adobe Reader has always been bad for this.

[lorenlal]

But somehow installing apps to %appdata% feels so ... wrong.

Well, it's no different than installing an application to ~/bin. Yes, the real path is kinda messy pre-Vista, but now it's normally C:\Users\Username\Programs... Which isn't really any more wrong than [/export]/home/username/bin.

In fact, I kinda like it. The permissions are all limited, you don't even need to spend time as an admin to get it installed. Plus, the worst that needs to happen is an administrator says, "Save your documents, I'm going to wipe your profile."

Re:Adobe Reader has always been bad for this.

[PitaBred]

If your IT department can't even use Google, maybe it's time to start looking for a new job...

Re:Adobe Reader has always been bad for this.

[PitaBred]

I know self-reply is bad form, but further Googling shows that the latest version of Firefox is set correctly. It wasn't enterprise-friendly behavior, but then, nor was Microsoft's. At least Firefox's behavior was more than likely inadvertent, simply not being nearly as large a company as Microsoft as well as targeting multiple platforms. Microsoft changes your browser when you update, invisibly. That's more enterprise-unfriendly than anything Firefox has done.

Re:Adobe Reader has always been bad for this.

[pedestrian+crossing]

They know about front-motion, but it's not approved at higher levels. Welcome to Dilbert world...

Re:Adobe Reader has always been bad for this.

Since your company is able to push software updates, why don't they push another one that retains the default browser setting they want (either whatever the user selected before or the corporate standard)?

Sounds like they're not really interested in having Firefox.

Re:Adobe Reader has always been bad for this.

[BikeHelmet]

I use a modified Firefox Portable install across all the computers in my home. Look into it - it's pretty easy to modify, and you can keep everybody's profile on a central share.

Deployment will be a bit more of a challenge, if you need it to be the default browser. Firefox Portable doesn't steal file associations, or even have a way to register itself as the default browser, so that requires manual copying of registry keys.

If you're serious about deploying Firefox, you can probably devise a tiny app to handle that, or dredge up the required regkeys from a computer that already has Firefox installed. It might take an hour to do the first time - but luckily you only have to do it once, if you don't miss anything.

Re:Adobe Reader has always been bad for this.

[FrankieBaby1986]

My school uses a customized version of firefox. No idea if it has this behavior or not, but it is supposedly easier to manage: FrontMotion firefox http://www.frontmotion.com/Firefox/fmfirefox.htm

Fuck you asswipes at slashdot, fuck you royally !!

The problem with really getting engaged in a community is getting through the clutter and noise. In a closed environment like nin.com a lot of this can be moderated away, or code can be implemented to make it more difficult for troublemakers to persist. It's tedious and feels like wasted energy doing that shit, but some people exist to ruin it for others - and they are the ones who have nothing better to do with their time. Example: on nin.com, there's 3-4 different people that each send me between 50 - 100 message per day of delusional, often threatening nonsense. We can delete them, but they just sign back up and start again. Yes, we are implementing several changes to address this, but the point is it quickly gets very old weeding through that stuff.

Rewarding incompetence

[mr_stark]

Dont use Acrobat... There are several alternatives available all less bloated:

GPL'd PDF reader: http://blog.kowalczyk.info/software/sumatrapdf/index.html

Commercial: http://www.foxitsoftware.com/pdf/reader/

Re:Rewarding incompetence

[bheer]

Unfortunately, it isn't that simple. Many of the alternatives lack key features that make it difficult for many users.

IIRC there are some kinds of PDF Forms which still cause problems in Foxit Reader. Also, because Foxit doesn't have CoolType and Adobe does, PS/OpenType fonts which are not specifically hinted for the screen (and are used by many design shops) look *much* better on Adobe reader than Foxit, making it invaluable for pre-publishing previews.

Also, specifically for Foxit -- it has its own share of vulnerabilities.

Re:Rewarding incompetence

Also, specifically for Foxit -- it has its own share of vulnerabilities.

Perhaps, but its not as bloated/crappy as Adobe Reader.

Re:Rewarding incompetence

Sumatra is a piece of shit that simply crashes on many many PDFs that Okular, for example, handles perfectly.

Re:Rewarding incompetence

[Jeff+DeMaagd]

[quote]IIRC there are some kinds of PDF Forms which still cause problems in Foxit Reader.[/quote]

The support in the thread claim that it's been mostly fixed, and that is as of two to three months ago.

[quote]Also, because Foxit doesn't have CoolType and Adobe does, PS/OpenType fonts which are not specifically hinted for the screen (and are used by many design shops) look *much* better on Adobe reader than Foxit, making it invaluable for pre-publishing previews.[/quote]

It's a valid point for some users. But given that most people aren't in publishing (it's just one of numerous industries), it's probably not much of a selling point for most people.

I would suspect that most people wouldn't notice much of a difference if their reader was suddenly substituted.

Even if Foxit has as many or as big of vulnerabilities, its relative user base footprint is pretty small, you would have to be somehow specifically targeted for sensitive reasons.

Re:Rewarding incompetence

[yoris]

It says a lot about the world that no other nation yet has the 1st and 2nd amendment.

Just out of curiosity, is this supposed to say something about the US or about the rest of the world? In the latter case, what exactly is the fact that the other democracies of the world did not choose to make the right to keep firearms in the house a constitutional right supposed to say about them?

Re:Rewarding incompetence

I'll second that. Sumatra renders the entire page as a bitmap so zooming uses gobs of memory and is incredibly slow. Even modest zooms can cause it to run out of memory but it doesn't fail cleanly, it just displays a blank page. The only way to see anything again is to restart it. Sumatra certainly is a piece of shit.

Re:Rewarding incompetence

[maxume]

I needed to use Reader 9 for some work, I was reviewing and commenting on PDFs that had been enabled for commenting in Acrobat. This functionality depends on cryptographic signing, so none of the other readers support it (the other readers support commenting, but not the commenting that Acrobat enables...). Anyway, the moral of the story is that Reader 9 is not the bloated crapware that 7 and 8 were, it works quite well, so I have continued to use it (it can be a little slow to load from disk the first time it is run, but after that, not so much).

Re:Rewarding incompetence

Also, specifically for Foxit -- it has its own share of vulnerabilities.

Perhaps, but its not as bloated/crappy as Adobe Reader.

Which is very important for exploit execution speed, after all, and we all want our exploits to run as fast as possible ;)

Nitpick

[iamacat]

Every software has bugs, including security vulnerabilities. Actively fixing such bugs and releasing updates already gives a credit to a company, even if there is a slight delay incorporating patches into an official download. Complaining that initial download contains 9.1 vs 9.1.2 is just splitting hairs.

Re:Nitpick

[IBBoard]

Complaining that initial download contains 9.1 vs 9.1.2 is just splitting hairs.

That depends on the difference between 9.1 and 9.1.2. If the difference is a week or two (i.e. the bug fixes haven't been out long) then it's not unreasonable to have a delay updating the download (although it would obviously be better to update it as well rather than distribute known vulnerabilities). If the difference between them is several months or more then it's less excusable and they've had plenty of time to update it.

Re:Nitpick

Actively fixing such bugs and releasing updates already gives a credit to a company, even if there is a slight delay incorporating patches into an official download.

So... how many months is no longer "a slight delay" in your books?

Re:Nitpick

[Opportunist]

If the difference is a potentially system crippling exploit, it's not excusable. No matter how new or old. That's like saying having the Linux-kernel 2.4.11 a bit longer out for download wouldn't have been so bad either.

Re:Nitpick

[IBBoard]

Okay, so there are two conditions: time and criticality. Still, the fact that it is "only" 9.1.0 to 9.1.2 doesn't mean that it shouldn't be updated, but if it is a short period since the patch release and it is a minor patch then the company may have website update policies that mean the new download is pushed to the web server later than the patch.

Re:Nitpick

[Culture20]

That depends on the difference between 9.1 and 9.1.2. If the difference is a week or two (i.e. the bug fixes haven't been out long) then it's not unreasonable to have a delay updating the download

A week or two? Really!? An hour or two maybe. Worst case scenario: Until 8:00AM Monday if the patch was made 5:00PM Friday. Never longer.

Downloading Adobe Bloater?

[Runaway1956]

People who are downloading Adobe deserve what they get. There are PDF readers on the net that download in 1/10th the time, use less than 1/10th of the resources, run faster, with more features, and WITHOUT the vulnerabilities. Most are free for personal use, most have features that can be unlocked by upgrading, and even the upgraded version can be had for "free" through the advertising schemes. If all a person ever needs to do is read a document published on the web, he doesn't even NEED any features.

It's been years since I installed Acrobat or Adobe reader, and I'll never install it again.

Re:Downloading Adobe Bloater?

Let me guess, you swore off women, booze, and drugs, AND anything adobe. Goodluckwiththat but we in the real world, beyond the garage, need software that does what we, the bug boys, need to do.

Re:Downloading Adobe Bloater?

I wish the same was true for the adobe crash player... :(

but the alternatives sometimes dont even work with youtube...

Re:Downloading Adobe Bloater?

[Norsefire]

If all a person ever needs to do is read a document published on the web, he doesn't even NEED any features.

At least you've made the clarification. There are too many people who reckon Acrobat is bloated because they have never done anything more with a PDF than double-click the icon and read it. In the Industry I work, Acrobat is missing features that we need, which we make up by using plugins.

Re:Downloading Adobe Bloater?

I think you'll find the free alternatives also have about 1/10th of the features of Adobe Reader. Of course, 9/10th of the features in Adobe Reader are stuff you don't actually want, like forms, javascript, 3D, digital rights management ...

<sarcasm>Lets all switch to Microsoft's XML Paper Specification (XPS).</sarcasm>

Re:Downloading Adobe Bloater?

Can those other readers let me make adjustments to spot colors and CMYK values? Can they let me adjust the trapping of those colors? Or adjust the dot gain and head angles for the inks that will be used when the piece is printed? Do they properly show overprint? Can they adjust the crop box, media box, and artwork boxes (three separate things that can all be included in a single piece)? I could go on and on, but I think I know what your answer will be.

Re:Downloading Adobe Bloater?

Somehow I fail to see why I would need any of these features if all I wanted to do was read a document published on the web.

Re:Downloading Adobe Bloater?

[Sir_Lewk]

and even the upgraded version can be had for "free" through the advertising schemes

Why does this sounds even more unpleasant and risky than just installing Adobe Reader?

Re:Downloading Adobe Bloater?

[negge]

If Adobe Reader, the most full-featured and bloated PDF reader on the market misses some features you need, maybe you should consider using an alternative format for whatever it is you do? It's like complaining that Firefox doesn't have very good FTP support so you have to use FireFTP instead (when you infact should be using a proper FTP client).

Re:Downloading Adobe Bloater?

Haha what a douchefag. OK "big boy", whatever you say.

Re:Downloading Adobe Bloater?

[mrrudge]

Note to self : Remember bug boys need Adobe Acrobat. Should come in handy when I work out what a bug boy is, maybe an entomologist ?

Re:Downloading Adobe Bloater?

[PitaBred]

we, the bug boys

Mmmmmm, Freudian

Re:Downloading Adobe Bloater?

[PitaBred]

Now ask yourself if 99.999% of the users of Adobe Reader need those features? No? If you use specialist software, then you can expect "enterprise" type bugs. For it to be positioned as mass-market software, it needs to be held to a higher standard.

Re:Downloading Adobe Bloater?

[wastedlife]

Nothing like a good old-fashioned Freudian sex^H^H^Hslip to make your day.

Re:Downloading Adobe Bloater?

I wish the same was true for the adobe crash player... :(

but the alternatives sometimes dont even work with youtube...

Some would call that a feature :)

Indeed

[siloko]

Why are Adobe offering the old versions?

Absolutely! I'm not html guru but surely it shouldn't take a company with Adobe's technical knowhow to update an "a href" tag . . . in fact, come to think of it, I would do it myself for a small fee . . .

Re:Indeed

[commodore64_love]

What technical expertise? Adobe apparently has none.

Kinda like the place I work (government).

Re:Indeed

[wastedlife]

They might be taking the lazy way out and instead of providing a new full package and updates for the older package, they are just providing the updates and expecting new users to download the patches right away. This is more work than just redirecting the link, as they would actually need to build the entire installer.

Who the heck still uses Acrobat Reader?

[blind+biker]

I thought by now everyone got the point that Acrobat Reader is a bloated crashware and have switched to Foxit or other alternatives. I'm not saying Foxit is more secure (I don't really know), but I thought that the abomination that emanates from Acrobat Reader has shrank their marketshare so much that any security issues it may have, would be irrelevant.

Re:Who the heck still uses Acrobat Reader?

[IBBoard]

How many websites have you seen that say "here's a PDF of a document - you'll need to download Adobe Reader [insert link] if you want to view it" and how many say "here's a PDF of a document - you'll need to download a PDF reader such as Adobe Reader [insert link], Foxit [insert link], ... if you want to view it"? Most commercial sites that distribute PDFs recommend Adobe, and if you're not a techy then you'll assume that Adobe is all you can use. Why do you think so many people used IE6 when Firefox and Opera were available?

Re:Who the heck still uses Acrobat Reader?

[Norsefire]

Who the heck still uses Acrobat Reader?

Anyone who needs to do more with a PDF than simply read it.

Re:Who the heck still uses Acrobat Reader?

[jonadab]

> How many websites have you seen that say "here's a PDF of a document -
> you'll need to download Adobe Reader [insert link] if you want to view it"

If the webmaster had ever watched an end user try to use a computer, he'd Stop Doing That.

Almost universally, the end user does not understand the above paragraph. He gets as far as the link to Acrobat Reader, clicks it (even though of course his computer already has Acrobat Reader; but he doesn't know that, because he doesn't even know what it means), and expects to immediately see the content he's looking for (even though he hasn't clicked, or even noticed, the link to the actual document; generally he thinks the download link he just clicked *is* the document). If he's lucky, at this point, the web browser downloads Yet Another Copy of the Adobe installer and puts it in the default download folder (probably the desktop, unless the computer's been worked over by a competent computer geek at some point). At this point the user has absolutely no idea why the document isn't opening, so he tries again. And again. I've never EVER seen an end user's default download folder with fewer than three copies of the Adobe installer, and six or eight is more common. Eventually, depending on what kind of person the user is, he either gives up (this is the most common outcome) or seeks help from someone he thinks is a computer expert. If he's lucky, his "computer expert" actually understands enough about computers to help him, but at least half the time it's somebody just as clueless as he is (albeit more confident), and they tell him his computer has a virus, which confirms what he suspected anyhow.

Re:Who the heck still uses Acrobat Reader?

[GF678]

Who the heck still uses Acrobat Reader?

Every single computer in our corporation because it's mandated by IT?

Foxit is nice, but it's not the "industry standard". I'm not joking.

Re:Who the heck still uses Acrobat Reader?

And everyone who wants to read it without crap rendering quality.

Re:Who the heck still uses Acrobat Reader?

[IBBoard]

If the webmaster had ever watched an end user try to use a computer, he'd Stop Doing That.

That assumes that most corporate webmaster a) care about that kind of thing (which seems unlikely when Flash is involved in many sites), b) have any control over that kind of thing (which seems unlikely because Marketing have bad habits of doing things like decreeing pixel perfect designs that webmasters must follow) and c) are allowed to link to anything that isn't from a big corporation.

While I can imagine it would confuse people who don't know enough about computers, just having a link to an unknown file type could end up even worse as they sit there going "well that's a crap site - I've got the document but it won't open/looks like it is corrupt".

Perhaps I should have made that text a little different and gone for:

[insert link to document here]

If you don't already have it installed, you'll need Adobe Reader [insert link] to view the document

Re:Who the heck still uses Acrobat Reader?

[ZERO1ZERO]

Interestingly, if you google for 'click here', guess what the first result is?

Re:Who the heck still uses Acrobat Reader?

[Quirkz]

I'm in IT, and we do push Acrobat Reader, but it's maybe not as "stuck in our ways" as your comment would make it sound. Every now and then I think about trying to encourage the company to switch to something else, like FoxIt, but then I think about it some more ...

One problem is some people in the office actually need Acrobat Standard to create PDFs for business-related purposes. I can understand that there are a lot of free readers, but for more complicated PDF creation Acrobat still seems to make sense. We have used some free software like PDF Creator when we can, but a lot of times it won't cut it, and we go with Acro Standard.

And once we've got that scattered around the company, and people already know it, it's just kind easier to stick with Acro Reader as the free PDF reader. People already recognize it and know what it is, as opposed to trying to educate them about some other program they've never heard of. (Seems like a small thing, but it's challenging ... I can't get ANYONE around here, even intelligent techie co-workers, to even call Acrobat products "Acrobat" ... it's all "Adobe" to them, and yes, we use Photoshop, Illustrator, and some other Adobe apps here an there in the company, too.) And as office needs change some people get upgraded from Reader to Standard, and others don't need Standard anymore and we uninstall so they've just got Reader, and of course it's far simpler if both the paid and free versions look and are named something similar. Retraining to switch over from one to the other isn't as trivial as it should be.

And all that's without the issue that we've been using Reader for a decade, it's on all of our computers, and switching over now would be a tremendous pain. Yeah, we could phase things over gradually, but frankly the inconsistency from one machine to another is more trouble than sticking with Adobe Reader, at least for now.

Ni6ga

you're 7old. It's

Evince vs. Acrobat

[Rick+Richardson]

evince linux: doesn't work with USPS "clik to ship" postage.
acrobat 9 linux: works with "clik to ship".

Sorry.

Re:Evince vs. Acrobat

[L4t3r4lu5]

How about the other five listed here?I'm not running Linux, so I can't wipe your bottom for you. Maybe some research on your part would be useful?

Here, I'll save you some effort and GoogleThatForYou

Re:Evince vs. Acrobat

[CarpetShark]

Evince is pretty lacking in PDF functionality anyway. If you want to compare best of breed on each system, you should probably compare KPDF. It would still fall short of Acrobat Reader. However, I think it's silly to expect otherwise, given that Adobe set the standard AND develop the software meeting that standard in one go.

Re:Evince vs. Acrobat

[colfer]

The USPS thing expects some feedback from the reader. It may require Javascript to be enabled in Adobe Reader, I've had mixed results otherwise. By the way, Adode Reader updates turn JS back on! At least in version 8.x.

Re:Evince vs. Acrobat

[innocent_white_lamb]

All of the readily available PDF readers on Linux (with the obvious exception of acroread, of course) use the poppler backend to do the actual rendering. Therefore, a flaw in the rendering affects all of the reader software.

The biggest beef I have with acroread on Linux is that there isn't a 64-bit version of the darn thing. Sure, it's possible to run the i386 version on an x86_64 setup, but it drags in a metric ton of i386 dependencies.

The computer I'm typing this on runs Fedora 11/x86_64 and has no i386 software installed on it at all.

Re:Evince vs. Acrobat

[innocent_white_lamb]

kpdf and evince both use the poppler pdf rendering library.

Foxit...

[EddyPearson]

FoxIT Reader.
http://www.foxitsoftware.com/pdf/reader/

Google docs

[beadwindow]

google docs opens pdf's

pdfreaders.org!

[Karellen]

"...you'll need to download a PDF reader such as Adobe Reader [insert link], Foxit [insert link], ... if you want to view it"

No, no, no!

It's "you'll need to download a PDF reader".

pdfreaders.org even has free icons which you can use to replace the more usual Adobe-based PDF icons.

Why should a 'reader' be a security issue anyway?

[dtjohnson]

Adobe began using javascript in their reader beginning with v7 and that has opened up this whole new world of security issues. Wouldn't it be better if the 'reader' just rendered a static file and didn't run embedded script?

shhhh....don't botch the agency subsidies

[harvey+the+nerd]

If they make a really secure program, who is going to replace the FSA (Russia) and NSA (USA) subsidy payments?

Hey Obama, what's the rush on healthcare?

http://blog.newsweek.com/blogs/thegaggle/archive/2009/07/21/romney-on-obama-s-push-for-health-reform-slow-down.aspx

I'm afraid I have to agree with Romney on this one. Such an important piece of legislation that is going to fundamentally alter such a large chunk of the economy deserves a thorough vetting, and some real leadership from Obama to stick to his campaign promise of bipartisan support and changing the tone in Washington, not twisting arms and cramming through a bill that he admittedly isn't even familiar with. America needs real leadership and real solutions, not another trillion-dollar entitlement with unfunded mandates for the states. We already have THAT system. It's called MedicAid.

Re:Hey Obama, what's the rush on healthcare?

Looks like you struck a nerve!

Re:Why should a 'reader' be a security issue anywa

[Opportunist]

But ... but all those nifty features, like filling out forms and such! How did we ever survive without them?

It's like saying "Why do we need Aero?" We don't. Few people do at all. But, hell, how do you plan to sell a new version if your markedroids can essentially only say "Well... it has rounded corners now"?

Running Code in a PDF Reader!

[Prototerm]

In my opinion, the purpose of a PDF reader is to ... wait for it ... *read* a PDF file, not run Java or any other sort of scripting. If a publisher wants to create an interactive program, *there are programming languages for that!* If Acrobat Reader was made to specifically prevent a document from doing anything except *being passively read*, we wouldn't have half these problems.

The Swiss Army Knife approach only works for Switzerland's military elite, not software companies!

I don't blame it.

[RealErmine]

If I had so many vulnerabilities I would feel insecure too.

Insecure?

[whargoul]

Does it have self esteem issues?

Patches for patches for patches.

[zerofoo]

Adobe's problem of distributing out of date software highlights a bigger problem in the software industry - patch management.

It is an absurd situation when you must go through a patch cycle MULTIPLE times to get your software to a current state. Microsoft and Adobe are horrible at this.

Install a fresh copy of Windows, or Adobe's creative suite and count how many times you must run the updater until it reports that you are current and that there are no further updates to apply. Usually the number hovers around 3 or 4 times. Most non-technical users will assume that the machine is up to date after the first go around. This results in vulnerable machines running around the internet.

Contrast Microsoft's/Adobe's/Apple's stupid approach to my Ubuntu machine. One update run is all that is needed to bring the entire machine up to date.

The major software manufacturers must know this is an issue. I can only assume that they don't give a shit.

-ted

Re:Patches for patches for patches.

[Gizzmonic]

Install a fresh copy of Windows, or Adobe's creative suite and count how many times you must run the updater until it reports that you are current and that there are no further updates to apply. Usually the number hovers around 3 or 4 times. Most non-technical users will assume that the machine is up to date after the first go around. This results in vulnerable machines running around the internet.

Contrast Microsoft's/Adobe's/Apple's stupid approach to my Ubuntu machine. One update run is all that is needed to bring the entire machine up to date.

The problem is, you can't mandate a centralized update repository on a commercial OS. So there's a lot of crappy updaters that are constantly sucking up CPU cycles on any Windows or OS X machine. And Linux is hardly immune to problems with software updates-in fact, I'd take Adobe's terrible, bloated, non-functional updater over dependency hell.

The real solution is to do less...instead of a separate updater, the program itself should check for updates, then refer users to a website where they can directly download a newer version.

Re:Why should a 'reader' be a security issue anywa

Adobe began using javascript in their reader beginning with v7

Really? I have Adobe Acrobat v5 (for compatibility testing), and it has the javascript engine (and javascript can be disabled in the preferences).

Anyone have Acrobat v4 handy?

Centralized/decentralized download Infrast. = DNS?

[McFly777]

... having a pointer to the vendor's download URLs for a file. This is a lot easier, but still requires some added infrastructure and bandwidth. However, third party utilities like Secunia's PSI are able to hunt down and point out outdated/insecure versions, so it wouldn't be too onerous for a central switchboard for application vendors to have one place for update checking. ...

Not a bad idea. But perhaps the infrastructure already exists. It seems like much of this could be a TXT record in a DNS file. Microsoft would only have to host the "root" server for windows software update info. Why create a new infrastructure/protocol when a perfectly good one exists?

Now before you all go and beat up on the idea, I am sure there would be some decisions that would need to be made. For example, does the TXT record actually go in the current zone file, or is this a separate system just using the same protocol? I am sure there are others...

No there aren't

[GameboyRMH]

I guess there are some "super elite" things to do with Adobe Reader that I have no clue about.

No there aren't. Adobe's just continuing its tradition of producing bloatware.

- Guy who works with PDFs a lot and recommends Foxit Reader.

clogging up the tubes

[hurfy]

Ok, i will move my vote over to the totally stupid column.

Just downloaded the 25.5MB reader.
Then downloaded the 26.1MB in updates!

So they appear to have you download one version and then replace it :/

Having it download the downloader probably doesn't simplify anything for Joe Sixpack either. Trying to download Acrobat Reader gives a warning message about installing something that is not Acrobat Reader...Didn't we try to teach Joe NOT to do that?!?

Don't use Acrobat!

[crhylove]

Acrobat is like a giant virus on every machine I've run it on.

SumatraPDF is much, much faster and better.

Besides Adobe is a Fox news sponsor. Don't give them your money or your ram!!!

http://portableapps.com/de/apps/office/sumatra_pdf_portable

Re:Centralized/decentralized download Infrast. = D

That is a good idea. DNS is tried and true and is made to handle distributed queries on a massive scale. It wouldn't take too much adaptation to have it have some cryptographic verification, and multiple locations for a software product to be updated from. One can also add versioning. Then, a simple client on the PC side could just check executable versions, run them against the namespace, then either offer to autoupdate everything, or point to a URL of the software maker to do that.

Sadly,one key reason why you can't switch to FoxIt

[romrunning]

Password support - I can't tell you how many times I've been requested to have password-protected PDFs. As far as I know, Foxit doesn't support password-protected PDFs yet.

Re:Why should a 'reader' be a security issue anywa

actually, I was putting JavaScript in Reader 4.05.

Re:Why should a 'reader' be a security issue anywa

[DMUTPeregrine]

Not always. Look at, say, any good postscript viewer. Like ghostview or Okular, or any good printer. You can't read a .PS file without running it.

Vulnerabilities and Adobe Updates

[PhunkySchtuff]

So, it seems that I'm not alone in finding it incredibly frustrating and back-to-front that Adobe don't offer the latest versions of any of their software for download, especially Acrobat and Reader.

You need to download the main installer, which will generally be X.0.0 of the software, and then there are a whole heap of updates.

Downloading these extra updates, when Adobe could simply update the version of the main installer, is a vast waste of bandwidth and a monumental waste of time.

I hope this prompts Adobe to ensure that the main installer for the software that you download from their site gets revised to be the current version of the software, rather than relying on having to be installed, and then patched, and then patched and then... This goes for all their software, not just Acrobat!

Re:Why should a 'reader' be a security issue anywa

[cbhacking]

The irony being that PDF is a Turing- in complete variation of the (Turiong-complete) PostScript language. So what does Adobe do?
"Hey guys, lets embed a *completely different* Turing-complete language in our document specification!"

ick

I hate adobe with a passion. There's so many halfwits who call themselves "developers" who rely on this crap.

Re:Why should a 'reader' be a security issue anywa

[lennier]

What I'm boggling at is how come Adobe Reader files can include Flash content.

How are they planning on printing that?