Slashdot Mirror
Adobe Warns of Critical Zero Day Vulnerability
wiredmikey writes "Adobe issued an advisory today on a zero-day vulnerability (CVE-2011-2462) that has come under attack in the wild. According to Adobe, the issue is a U3D memory corruption vulnerability that can be exploited to cause a crash and permit an attacker to hijack a system. So far, there are reports the vulnerability is being exploited in limited, targeted attacks against Adobe Reader 9.x on Windows. However, the bug also affects Adobe Reader and Acrobat 9.4.6 and earlier 9.x versions for UNIX and Macintosh computers, as well as Adobe Reader X (10.1.1) and Acrobat X (10.1.1) and earlier 10.x versions on Windows and Mac. Patches for Windows and Mac users of Adobe Reader X and Acrobat X will come on the next quarterly update, scheduled for Jan. 10, 2012."
Why on earth isn't "Adobe Reader X Protected Mode" the default?
You can pretty well set your watch by adobe exploits. Get it together, guys...
Sent from my PDP-11
Jan 10??? They're leaving exploits that can allow intruders to hijack computers unpatched for over a month?
Am I missing something?
Jan. 10, 2012? Why not immediately? Do Adobe coders suck that bad... Honestly I think when a major vulnerability is found, companies should fix it immediately or face penalties.
Good I stopped using that blob...
"Flyin' in just a sweet place,
Never been known to fail..."
I'm socked, shocked I say.
...leads to increased vulnerability, whether in biology or in software.
Although there are alternatives to Adobe Reader, none of them is good enough to gain significant market share. And Adobe does everything it can to make competing with it more difficult. So a key piece of software used by a large majority of computer users is bloated beyond belief and so riddled with vulnerabilities that it seems there's a new every day. It sucks, but it's hardly surprising.
On the web, as in politics, we get what we deserve - or, in this case, we get what other web users deserve, because they vastly outnumber us.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
If you're wondering "How can this happen?", all you need to do is look at the credits of Acrobat Reader. Notice that many of the names are quite clearly Indian. Then it all makes sense.
According to the Wikipedia article on Universal 3D:
The format is natively supported by the PDF format and 3D objects in U3D format can be inserted into PDF documents and interactively visualized by Acrobat Reader (since version 7).
and
There are four editions to date.
The first edition is supported by many/all of the various applications mentioned below. It is capable of storing vertex based geometry, color, textures, lighting, bones, and transform based animation.
The second and third editions correct some errata in the first edition, and the third edition also adds the concept of vendor specified blocks. One such block widely deployed is the RHAdobeMesh block, which provides a more compressed alternative to the mesh blocks defined in the first edition. Deep Exploration and PDF3D-SDK can author this data, and Adobe Acrobat and Reader 8.1 can read this data.
The fourth edition provides definitions for higher order primitives - curved surfaces.
I'm guessing it's the vendor specified blocks from the 3rd edition that are causing the problem.
In my experience it can (or used to) break things when interacting with other programs.
It broke my LaTeX editor. Couldn't compile a document and automatically have it open in Reader. After some fighting, I think I got it to open, but if you make some edits and recompile... it quickly errors out if you don't manually and completely exit out of Reader first. It's really annoying. Spent far too long reading up on how Reader is supposed to interact with other software and setting my editor to try different commands invoking Reader. No dice, and it looked like the documentation wasn't up to date for all the changes in X yet. But turn off protected mode, and it worked just fine.
Granted, they might have fixed that in the mean time, I've not used it in a couple months, and don't even have Reader installed any more...
I vote based on politicians' actions, unless contrary to my preconceptions. Often wrong, never uncertain. #iamthe99%
This type of vulnerability is serious enough that I find rather appalling that Adobe is pushing this to their regular "scheduled" quarterly update. If they are serious on being considered as a credible platform, they absolutely need to address these kind of issue with more sense of urgency.
install it already
The summary makes no mention of a patch for Reader 9, but some of us have been stuck with Reader 9 because Reader X has no IFilter to allow PDF indexing by search tools (even worse, installing Reader X removes any older IFilter that you might already have). So we get to choose between having a security hole or an IFilter. Thanks, Adobe.
Can this circumvent the PDF protected mode?
It doesn't do everything Acrobat does, but it reads PDFs. Which is enough for me.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
OK, the summary omits it, but the article says "We are in the process of finalizing a fix for the issue and expect to make available an update for Adobe Reader 9.x and Acrobat 9.x for Windows no later than the week of December 12, 2011" so Reader 9 will be fixed after all.
Adobe have to be very careful about even recommending that you update these days, as that can lead to problems if not handled correctly.
Adobe is forced to officially advise the need to update, at the same time as spam containing malware laden upgrades are released. Naked Security article about malware spam
They might get a greater hit rate by using the Zero Day to create FUD that increases the number of clicks on the email rather than pushing an exploit on the Zero Day directly.
... because Adobe broke the search feature in the versions after 9.4.0 (both 9.x and 10.x) If you search in a .PDF in the newer versions, it will fail to highlight at least some of the matches.
This is a pretty huge deal and it would be astonishing if it were still broken. Does anybody know if they've fixed the bug?
I'm actually in the process of becoming Adobe free. No Reader, no Flash, and hopefully my system will run better.
The cesspool just got a check and balance.
I'd be curious to know how many Mac users install Adobe Reader at all, since Preview does a very good job of basic PDF handling - and loads almost instantly, as opposed to Reader's geologic-era-scale load time.
#DeleteChrome
How about TOMORROW?
Idiots.
... or maybe just go back a few versions. No movies, no scripting, no interactivity other than hyperlinks and form elements, no live connection to the Web, no motion of any kind. Just vector shapes and a handful of well-known image formats. Please, just go back to what PDF was originally supposed to be: a virtual print that looked the same anywhere, including a small handful of well-known image formats. Oh, and make it "safe", which it never would have occurred to me to ask for in the past but I guess we need to specifically request that that these days. (Hi, GM, can you please make a car without an array of eight-inch spike in the middle of the steering wheel?) And, as long as I've got this crackpipe, I'll ask them to make the spec simple enough and open enough that anyone can make a program to generate them or read them.
I don't know what features Adobe is packing into the spec these days but to the best of my knowledge there's nothing I do today that couldn't be handled by PDF 1.2 and Acrobat 3. The only problem is, when people make PDFs, they tick the little box that says "Require Acrobat _ or greater" and I always have to update.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Most of our technical manuals come in PDF form now, but thank God for Okular. It has really, really improved. :)
Cogito, igitur comedam pizza.
I personally prefer Foxit Reader
liliana | Conjuros De Amor Efectivos
Why on earth isn't "Adobe Reader X Protected Mode" the default?
Wouldn't matter since Reader X crashes on every XP system I've tried it on. That leaves me with Reader 9, and I don't really care to hear any comments about why I shouldn't be on XP. It's not dead or out of support yet and I have my reasons to still be running it.
My question is: after all of these years, why can't Adobe write a secure version of reader. I mean it's just one program to do basically one simple enough thing. Are they too busy on new development to actually fix their existing product?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
...if you're going to follow up your "zero" day announcement to the world with a statement that your "fix" for this is to release a patch that is scheduled for release in a month or so from now. What, is patching out of cycle for a zero-day vuln suddenly against someones religion or something? That's about the only excuse that would seem somewhat sane (if you call organized religion sane) here.
If I were one of those paranoid type of guys, I would say that Adobe wrote this fucking thing themselves, and was paid to do it by all of the major computer hardware vendors in order to create a massive wave of "broken" computers just in time for holiday sales.
(Cue massive attack in 3...2...)
That could never happen, right?
Right?
Uh...right?
It's a freakin' document reader. How did Adobe end up here? Not only is it such a bloated piece of crap it takes forever to open a document, but they seem to have one vulnerability after another. The functionality that they added for 0.0000001% of their customers isn't really worth the price they're paying.
I guess all the good programmers left Adobe years ago.
The real Sig captains the Northwestern. This one captains
0-day that allows 1,000,000's of system to be rooted + No update for a month & 6 days when its scheduled update is ready = How Adobe Does Business while Its Flash platform is losing Adobe's grip on the internet.
I and a bunch of others received emails today claiming to be from Adobe (it wasn't, as mail headers showed) that included an attachment, an .exe in a zip file.
Of course, you should never run attachments sent via email, even if the source appears trusted.
Hey I don't have a problem with you being on XP friend, if it works why fix it? I have windows 7 on one machine and XP on another, why bother switching the older XP machine?
My question would be why are you trying to run Adbobe reader at all when there is both Foxit and Sumatra on Ninite. Just check the box, click the download button and run it, that's it. then you can say goodbye to crappy Adobe Reader.
As for why Adobe can't build a secure reader? you answered it yourself friend when you said you thought it was " one program to do basically one simple enough thing" when to try to sell copies of Acrobat Adobe has been piling shit into that program for years. That is why frankly for production software like Acrobat i really wish they'd go to a yearly license model like AV companies use. that way instead of being pressured to constantly add new shit to the program so they have an excuse to upsell you they could just focus on making it better and more secure and get paid without having to add crap.
ACs don't waste your time replying, your posts are never seen by me.
Get swamped at work when these blunders become well known...
It has a 4.4 MB setup file, compared to Adobe Reader's 40.5 MB, for Windows 7. Installed size is 8.4 MB, whereas Adobe Reader requires 335 MB of available disk space.
Adobe PDF Reader - now with 10-40x the size of what's *really* needed! ***Bonus*** - Includes Critical 0 Day vulnerability, @ no extra charge!!!
What more could you ask for?
"...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
what else is new?
It is the default already (I checked using my copy of Adobe Reader X), which is part of why they are delaying the patch for this version until next month.
I wrote it years ago, but it's still quite relevant:
http://www.cert.org/blogs/certcc/2009/06/vulnerabilities_and_software_a.html
Coding quality and exploit mitigations aside, there's something to be said for the size of the software that you're installing. The more code that's there, the more there is to attack. If you're using Reader, you might ask, why is there a 3D rendering engine in my PDF reader? Or maybe even do something about it.
Why is it under Preferences | General instead of, I don't know, crazy idea, under Preferences | Security ?
And 4 weeks? They're leaving that hole open for 4 fscking weeks?
1- Announce a security flaw
2- Leave it open for a month
3- ???
4- Profit!
I've got better things to do tonight than die.
Adobe PDF Reader - now with 10-40x the size of what's *really* needed! ***Bonus*** - Includes Critical 0 Day vulnerability, @ no extra charge!!!
What more could you ask for?
Ummm, could you maybe toss in an eternally running updater?
And if the same people could come up with a useless "download manager", well that would just be peachy!
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
Adobe Reader? What the hell's that? Oh, wait a minute, doesn't it open Foxit (.pdf) files? :p
I knew Adobe Acrobat and Adobe Reader were made insecure weekly but I really did not know there were Linux versions!
Adobe has another zero-day? We call this "Tuesday."
Adobe has another zero-day for their document reader? We call this, "Tuesday."
First, select two page view: view->page display->two up
Then, change your full screen preferences: edit->preferences->full screen->fill screen with one page at a time (uncheck)
Now when you go to full screen mode you'll get two pages.
The MB size of a GNU OS install, All the attack surfaces of a web browser and it runs locally. It does everything the user could do and more that drm prevents you from doing. It was only a year ago Adobe decided a sandbox might help.
Preview works very well for reading, but Acrobat Pro is currently the best Mac solution for authoring PDFs. Unfortunately. But there you have it. Open a 5mb PDF in word. Edit. Save. Wow, look at that, did you notice, now it's 45mb? It seems that acrobat pro is one of the few editors that recompresses. Now watch the secretary fill out that PDF form in Word and try to email it back to you.
PDF - Portable Document Format. It does a good job at being universally supported, for reading anyway. Do you want that, or maybe something else proprietary like DOC? (or even better, DOCX) You may hate the reader but the format is very good. It's just insanely bloated with features that are neigh impossible to secure. (it's about as good an idea as when MS added auto running macros to their DOC and XLS spec) So you can count on there being a new exploit almost constantly, and as we're seeing here, a critical exploit every quarter or so.
I personally do as much as possible in RTF format. It's fairly well supported, and doesn't have security-undermining features in the standard. On the mac, the bundled TextEdit does a marvelous job with RTF, reads and authors in it, and has very similar functionality to PDF. I just wish clicking on an RTF document on a web page would display it inline instead of downloading the bloddy thing to the desktop.
I work for the Department of Redundancy Department.
That is not actually true. Adobe Reader is a "conforming implementation" of the ISO 32000 PDF specification. As such, it must support features that your 8.4 MB reader cannot possibly see (such as the ability to pull from CRL's when encountering a digital signature). I used to work for Adobe and I am not here to defend them but in all fairness, you must distinguish the difference between conforming and non-conforming implementations of PDF before comparing.
Duane
Don't forget, it helps you keep your system stable by requiring a reboot every 60 minutes, due to needing a patch. A patch that of gives you a value add, like this 0 day vulnerability.
> you must distinguish the difference between conforming and non-conforming implementations of PDF before comparing
Your point is valid, however, how much of that ISO standard is, itself, "ooooh, shiny"-ness which is one of the reasons why Reader has so many more possible places of failure? Before discovering better alternatives for reading PDFs under Windows, the first thing I would do to Adobe Reader was to disable scripting support inside PDF documents.
In other words, I prefer the non-conforming, because that means that (there is a chance that) the implementers might actually be ignoring stupid things which Adobe pushed into the PDF standard which shouldn't be there.
I don't know, but I'm working with PDF files on a daily basis, not a small amount of PDFs mind you, I'm talking about several 100 files (research), it doesn't matter if I use adobe's horridly bloated reader or any of the open source alternatives, things crash and flail around on a daily basis, and each of these crashes is likely to have RCE potential if properly researched, the only thing making the "official" reader so much worse is the fact it is extremely bloated and has built in flash and javascript support, alongside other insecure redundancies, however it is the only one of these that doesn't use braindead decompression algos that clock the CPU to 50% usage and actually loads PDFs resulting from document scans instantly (all the "alternatives" hang around for *minutes* trying to display a single page), this makes the it without alternative, I have avoided the majority of security problems that plague reader by using an ancient version (with other software this would be bad, but not having SWF support and all that other trash they added to it is a good thing, there is no other way to look at it), running inside an external sandbox (ie not a half-assed sandbox in the sense adobe implemented in later versions) and considered without any access privilege by HIPS --- all this to view documents, I have also manually removed the browser plugin and shellex, and deassociated it with PDF files (so that, in case of a driveby download getting past NoScript, the PDF file would simply dud-out because nothing would open it), why can't we have a simple document format? Oh wait, we do, I'm using djvu nowadays for most of these scans.
I've said it before and I'll say it again, Adobe could not produce a version of "Hello World" what weighed in at less than twenty megs or that didn't require a weekly update over the internet.
You're saying pulling from CRLs requires that many more megabytes?
Let's be blunt here. Adobe Reader is an obscene piece of bloatware, packaged with all sorts of worthless cruft like the absolutely moronic download manager. I suspect that software developers who were actually interested in delivering a decent product rather than trying to push their vast library of even more bloated applications would try a little harder to bring the size of things down, if for no other reason than an abiding sense of shame at releasing such a gawdawful huge monster.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Too much options, and code in order to do a simple thing? (i.e. editing or, in this case, viewing and printing a document)
While Adobe reader is indeed the slowest, most frequently crashing PDF reader I've ever used (xpdf, evince and foxit being the main others), there are actually features that don't work in most PDF readers. Notably, comments on hilighted text, something many supervisors like to use for commenting on ones paper.
me too. Together, Chrome and OpenOffice provide that functionality for me now.
Don't forget the shell extension in windows, that enables those zero-day vulns to take effect by just hovering over the file! And unlike the updater and preloader, you can't turn this off without manually meddling with the registry.
Installed size of SumatraPDF really is 4.4MB here for me, as the setup file is a ZIP containing a single .exe file. So the install footprint of Adobe PDF Reader is 76 times the size of SumatraPDF. Adobe creates bloatware. Same with Apple and iTunes/QuickTime.
I've read numerous forums ages ago on ppl agreeing how sh!t Adobe Reader is. Use another one like PDFXChange or something. An why is the Adobe Reader install so large? PDFXChange is tiny in comparison.
Dont forget its a zero day vulnerability that is fixed in the next quarterly update.
ISO conformity is no excuse for the amount of vulnerabilities in Adobe Acrobat software. Unless the vulnerability is specified in the ISO.
1.) Adobe really must employ some of the worst developers in the commercial sector.
2.) Zero Day is undoubtedly one of the most idiotic labels in the computing sector.
"By default, Adobe Reader 10.0 enables Protected Mode"
http://kb2.adobe.com/cps/860/cpsid_86063.html
blindly antisocialist = antisocial
Forgive my ignorance but can Acrobat (and eventually Flash) be forced to run only in a sandbox for any given OS ?
blindly antisocialist = antisocial
More time is used to patch Adobe software than use them.
The truth or interpretation..
Yesterday I updated a Windows Vista machine with old versions of Firefox, IE, Acrobat Reader and Flashplayer. I jokingly brought up the possibility, that this machine might be protected because of the age of the programs.
This machine is used to do bank transactions and other confidential things.
Did I mention, that the virus scanner is long outdated? And there is no firewall to protect this machine. No, it's not a honeypot!
The owner doesn't want to be disturbed in the full experience of the internet, though it supposedly wasn't meant that extensive. I love this attitude...
cb
Unfortunately, Foxit Reader doesn't seem to support many localised versions, unlike Adobe Reader.
/MC
I just updated my system to Adobe X and Enable Protected Mode is the default.
I wish people would actually read the advisory because Adobe X has mitigations and to look at settings
What Me Worry!
.
Here is the mitigation in advisory.
Mitigations
Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing. To verify Protected View for Acrobat X is enabled, go to: Edit >Preferences > Security (Enhanced) and ensure "Files from potentially unsafe locations" or "All files" with "Enable Enhanced Security" are checked. To verify Protected Mode for Adobe Reader X is enabled, go to: Edit >Preferences >General and verify that "Enable Protected Mode at startup" is checked.
Good thing that this technology is not supported on the Linux version ;) .
Why on earth isn't "Adobe Reader X Protected Mode" the default?
It is the default.
I've checked both on my system (Adobe Reader X 10.1.1.33: Edit -> Preferences -> General -> "Enable Protected Mode at startup" checkbox) and both on their website:
http://kb2.adobe.com/cps/860/cpsid_86063.html#main_What_is_Protected_Mode_
Now, can we stop the FUD?
It was only a year ago Adobe decided a sandbox might help.
Of course with Adobe designing it the sandbox will also have a nice plentiful selection of its own exploits. Unless Adobe hires another company to design their sandbox for them then I wouldn't trust it for a minute.
Fear is the mind killer.
Because that would make it too easy...sometimes I wonder if Adobe is in cahoots with the cyber mafia, getting funding to give them a head start, to let them know,......"hey we have a hole, that no one knows about....we will find it eventually, so here, have at her....that will be 50k please"
Do you have a pointer to the registry key that needs to be changed?
Unfortunately, lots of end users equate bigger with better...
Similarly many people consider PDF to be a proprietary format which is only supported by adobe, and refuse to even consider the idea that any alternative viewers exist. This is also perpetuated by the vast number of websites which offer PDF files for download and then include a statement that specifically says adobe acrobat is required rather than a generic pdf viewer.
I have even encountered Mac users, who when faced with a PDF file make no effort to open it and instead immediately head off to download acrobat, despite the fact that OSX includes a decent PDF reader by default.
And out of interest, what other readers are there which conform to the full ISO32000 spec, and how do they compare for size?
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
It's the old Microsoft syndrome again...
Take software which was designed for a non networked, single user standalone environment...
Throw it onto a hostile network like the Internet...
Then make sure that 95% of systems run exactly the same software...
If there was a more even marketshare of PDF viewers out there, then they would be far less attractive to target.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I suspect none, because Adobe wrote the spec.
"Don't worry! You'll be fine for the next month...probably..."
If you can change the registry key, then you can uninstall the steaming pile and install *anything* else.
Foxit works great in my experience. I believe they've ported Okular over to Windows as well...
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
A little tidbit Adobe conveniently leaves out of their security announcements. It should read: "The sandbox will protect you, unless you're using the Pro version of our product that you paid a lot of money for. Mostly because we were too lazy and inept to include it, or have the security team release updates more than 4 times a year." Because everyone knows, the bad guys only work on release schedules.
I use to be indecisive, but now I'm not so sure.
Did that 4 years ago.
TBH, I've found that flash is hard to do without in some cases, so it is a good idea to have a CPU that supports condoms, so you can run flash in a condom. (condom == Virtual Machine)
Just keep a copy of the base image, and overwrite it whenever it gets too infected for use.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
That is not actually true. Adobe Reader is a "conforming implementation" of the ISO 32000 PDF specification. As such, it must support features that your 8.4 MB reader cannot possibly see (such as the ability to pull from CRL's when encountering a digital signature).
And who was it that wrote the ISO 32000 specification in the first place?
Foxit, the maker of the Foxit PDF reader claims ISO-32000 compliance for their Enterprise Edition on their website. I couldn't find the binary as this version requires registration and looks like it costs money. Their regular free version is currently 14MB for the installer. I don't know how compliant it is, but it can't be too far (it reads all PDF's I've thrown at it).
So how much of Adobe Reader code is not for conforming to ISO 32000 and instead for supporting additional features that are not in the standard and for features for interoperability with other Adobe products that have nothing to do with the simple task of opening and rendering a PDF file? My hunch is quite a bit. More code == more possibilities of vulnerabilities.
I realize Foxit Reader is probably no more secure than Adobe Reader (except for having the smaller attack surface) but I like that it is very unpopular and thus does not get targeted as much by malicious hackers.
right!
SumatraPDF uses mupdf, mupdf supports ISO 32000 specification, but without "interactive" features (like form filling).
Unfortunately, lots of end users equate bigger with better
If this were true, then people would be using XBOX HUEG laptops as a cell phone.
While I like, and use, Sumatra myself, anyone thinking to replace Adobe with it should be warned it does NOT contain a browser plug-in for reading PDFs. Some sites (*cough*State of Texas*cough*) are coded so they don't work right if you lack the plug-in.
I don't get it.
Adobe announces (and has already mitigated the attack in the Reader X) the exploit and what not, stating that they'll patch vulnerabilities (that again, are mitigated if you have the most recent version).
Compare this to cell phone manufacturers that have jailbreak / root privileges that go unpatched... well.. forever? These are the same vulnerabilities that can be exploited for malicious purposes (and tbh, not sure why they haven't been).
How quaint.
Closed source software is so much 20th century.
It breaks everything! Well not everything but I did a large deployment of Reader X, ~5500 workstations and we had issues with opening PDF from network drives, which is an issue Adobe has known about for over a year and still hasn't fixed it (go figure, damn Adobe to busy fixing holes in their software to make it work). Also had issue when IE was opened using a "runas" (single sign on machines) wouldn't open PDF from our SharePoint site anymore. There was other problems with certain web apps to with Reader not showing the document once it was launched etc... We ended up having to disable protected mode in order to make it function correctly. So much for the security benefits of running in a Sandbox when nothing works.
www.youtube.com/html5/
Can it print yet?
> That is not actually true. Adobe Reader is a
> "conforming implementation" of the ISO 32000 PDF specification.
I think that's the problem right there. Adobe is writing a honking big "application platform". 99% of average users just want a stinking PDF *READER* to display the PDF. That was the original idea behind the acronym... Portable Document Format.
99% of end users do *NOT* want/need a huge, slow, bloated monstrosity that supports singing/dancing PDF's with javascript, radio boxes, checkboxes, playback of videos, and for f*** sake, *WHY* do they include "/launch" which can launch native executables on your machine?
What adobe should do is make 2 versions...
1) A "Reader Lite" that does nothing but display PDF documents, and is incapable of compromising your system.
2) A full-featured, bloated "Enterprise Edition Reader" for the 1% that want all the bells and whistles.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Why on earth is Adobe PDF a fucking standard? It's HORRIBLE, and yet everyone seems to use it. Not only is the software one of the most prolific generators of security holes, but it's also just really bad software. For instance, I have a .DOC file I want to print... no scratch that, 12 of them. 2-5 pages each. I select the ones I want from the file manager, and right click- print. DONE. PDFs? No such luck. OH, and say you want to print that PDF 4 pages per sheet. No problem, except it will take 90 seconds per sheet to generate the raster for the printer. Meanwhile I could print the whole file on single sheets faster than the first sheet of 4 per page. The MS Word 4sheets to a page print option doesn't take more than a couple seconds to start printing. I could go on all day about how shitty PDF, and I haven't even touched on the DRM aspects.
As a professional in document management, I would ask all of you, please, do not use PDF unless no other option exists. Tell providers you don't want PDF format. Tell customers why PDF sucks and give them TIFF or something else. PLEASE.
Apparently you are...failing
Sumatra PDF has had a browser plug-in available for about 9 months.
It's HORRIBLE, and yet everyone seems to use it.
You've basically hit on the definition of "standard" in the tech world.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Mod parent up - Okular looks like a really good option for Windows covering PDF, XPS, ePub, Mobipocket, CHM, etc. Rather a large download if it's your first KDE app on Windows (80 MB to download, 200 MB installed), but disk space isn't expensive these days and other KDE apps will be small downloads. There is even a standard Windows-style installer.
Unfortunately I need Adobe on my work PC to enable comments - don't think Foxit handles this. Foxit 5.0 was a bit crap (broke in some ways) but 5.1 is better.
Thanks for the pointer to Okular, this might be a good option on Windows. Included in the KDE for Windows installer: http://windows.kde.org/download.php