The more I deal with vulnerabilities in Acrobat the less patience I have with the company. You actually can take your business elsewhere.When you budget time this coming Patch Tuesday (March 10) don't
forget to leave some in for the following day, March 11, when Adobe
will grace us with the update to the latest zero-day vulnerability in Acrobat and its Reader program.
The exploits of this vulnerability don't appear to be widespread, but you have to assume they could explode any minute. After what eWEEK and others went through last month you have to assume that PDF exploits can have a huge impact long after they are patched.
And the potential damage from this vulnerability, which has come to be known as the JBIG2Decode exploit, is huge: Didier Stevens has demonstrated this bug executing through the Adobe Reader shell extension; all the user has to do is to open a folder (in thumbnail view) that contains a malicious PDF using the attack.
I've already hit on Adobe hard for an insufficiently aggressive approach to vulnerabilities in its own products.
In fact, for the JBIG2Decode there isn't even an effective mitigation.
All Adobe has recommended is that we disable Javascript, a solution
that itself is unacceptable to many organizations because Javascript is
used in PDFs for forms processing applications, and it's there because
Adobe put it in there. But disabling Javascript doesn't even really
block the vulnerability, just the known exploits of it.
Did you know that PDF is an open standard (ISO 32000-1:2008)? And we
have Adobe to thank for this, so give credit where credit is due. This
means that anyone can make tools to create and/or view PDF documents,
and they do. There are many companies that make PDF products for a variety of platforms.
Mikko Hypponen of F-Secure has it right: Adobe Reader has become the new IE. (Well, I'd say it's become the old IE, but you get the point.) Back to Mikko: "For
some reason everybody seems to be using it for reading PDF files. Even
though there are plenty of free alternatives. And the alternatives are
much smaller and faster. And start up in under a minute."
OK, so let's take Mikko's advice. Furthermore, just to keep the
issue a little simpler, let's only deal with PDF viewers; there are
lots of products that compete with Acrobat itself for PDF generation,
but that's a more complex issue and the number of seats is much, much
smaller. Consider that you could replace Adobe Reader on your client
PCs with Foxit or Sumatra PDF. It's got a lot going for it as an idea, and it's satisfying to those of us who are impatient with Adobe.
Before you go off taking my advice, I should add that there are
clear limits to this strategy. Just because nobody is researching and
developing attacks for non-Adobe viewers doesn't mean they don't have
them. Such vulnerabilities could be developed, and if someone is
looking at a targeted attack on your organization it would make great
sense to develop one.
In fact, the third-party viewers have already been successfully exploited. As part of the research into the vulnerability exploited against eWEEK recently, Secunia found a very similar vulnerability in Foxit Reader.
It's so similar you have to wonder if the same people coded both
products' Javascript engines. But on the whole, Adobe vulnerabilities
won't be exploitable in alternative viewers.
This strategy mimics, to a degree, that of people who get a Mac
because they're sick of the security problems in Windows. You're trying
to fly under the radar. There are some differences. Mac switchers
probably end up paying more and have fewer choices for software and
(certainly) hardware. Alternate PDF viewers "should" be plug-and-play
interchangeable with Adobe's viewer.
I wouldn't recommend launching right now into a full-blown
switchover, but I would definitely start experimenting. Pick a group
that uses PDFs in a typical way and switch them over, making sure to
let them know what you're doing and that they should let you know of
any problems. If there aren't any problems it's time to start expanding
the tests. Maybe you can even try different viewers with different
groups and see how they work out.
Or you can just sit around and wait for Adobe to fix the problems as they come up.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.
| | Reader Comments: It May Be Time to Abandon Adobe | | >>> Post your comment now!
| | A user comment on this articleHow nice. Blame every Adobe problem on developers in India. The last time I heard, Microsoft, with its predominantly U.S centric dev force was... Posted At: 04-27-09
By: meeven | | | | | | We gave up on Adobe years agoThough there can be little doubt that Adobe creates powerful, class-leading products, we completely switched to alternatives when they first started... Posted At: 03-18-09
By: Anonymous | | | | | | Clunk, clunk, clunk . . .Have you ever compared the performance of the Adobe PDF print driver with something like docuPrinter, which (if my memory serves me) is free or (if... Posted At: 03-17-09
By: Alexander More | | | | | | A user comment on this articleI have used the Acrobat Reader since it came out and have hated it through many versions of Reader and Windows. It is slow and has hung every... Posted At: 03-17-09
By: Anonymous | | | | | | A user comment on this articleactually you don't really have to (actually I don't know what architecture you have). We did the migration few years ago. It was painless and pretty... Posted At: 03-13-09
By: Gherard | | | | | | It's not the first time... move on !I'm director of IT resources for a large company in Asia and I can tell you that it's been a long time we haven't renewed our park of Acrobat's. We... Posted At: 03-13-09
By: Mickael Gherard | | | | | | Okay, but...While am not happy with Adobe's response time to many of these exploits, I also find it a bit hypocritical for Mr. Seltzer to criticize Adobe when he... Posted At: 03-12-09
By: Anonymous | | | | | | >>> Post your comment now! | | | | | |
|
 |
Network Security & Hardware 
/ 49 
