It May Be Time to Abandon Adobe

The more I deal with vulnerabilities in Acrobat the less patience I have with the company. You actually can take your business elsewhere.

When you budget time this coming Patch Tuesday (March 10) don't forget to leave some in for the following day, March 11, when Adobe will grace us with the update to the latest zero-day vulnerability in Acrobat and its Reader program.

The exploits of this vulnerability don't appear to be widespread, but you have to assume they could explode any minute. After what eWEEK and others went through last month you have to assume that PDF exploits can have a huge impact long after they are patched.

And the potential damage from this vulnerability, which has come to be known as the JBIG2Decode exploit, is huge: Didier Stevens has demonstrated this bug executing through the Adobe Reader shell extension; all the user has to do is to open a folder (in thumbnail view) that contains a malicious PDF using the attack.

I've already hit on Adobe hard for an insufficiently aggressive approach to vulnerabilities in its own products. In fact, for the JBIG2Decode there isn't even an effective mitigation. All Adobe has recommended is that we disable Javascript, a solution that itself is unacceptable to many organizations because Javascript is used in PDFs for forms processing applications, and it's there because Adobe put it in there. But disabling Javascript doesn't even really block the vulnerability, just the known exploits of it.

Did you know that PDF is an open standard (ISO 32000-1:2008)? And we have Adobe to thank for this, so give credit where credit is due. This means that anyone can make tools to create and/or view PDF documents, and they do. There are many companies that make PDF products for a variety of platforms.

Mikko Hypponen of F-Secure has it right: Adobe Reader has become the new IE. (Well, I'd say it's become the old IE, but you get the point.) Back to Mikko: "For some reason everybody seems to be using it for reading PDF files. Even though there are plenty of free alternatives. And the alternatives are much smaller and faster. And start up in under a minute."

OK, so let's take Mikko's advice. Furthermore, just to keep the issue a little simpler, let's only deal with PDF viewers; there are lots of products that compete with Acrobat itself for PDF generation, but that's a more complex issue and the number of seats is much, much smaller. Consider that you could replace Adobe Reader on your client PCs with Foxit or Sumatra PDF. It's got a lot going for it as an idea, and it's satisfying to those of us who are impatient with Adobe.

Before you go off taking my advice, I should add that there are clear limits to this strategy. Just because nobody is researching and developing attacks for non-Adobe viewers doesn't mean they don't have them. Such vulnerabilities could be developed, and if someone is looking at a targeted attack on your organization it would make great sense to develop one.

In fact, the third-party viewers have already been successfully exploited. As part of the research into the vulnerability exploited against eWEEK recently, Secunia found a very similar vulnerability in Foxit Reader. It's so similar you have to wonder if the same people coded both products' Javascript engines. But on the whole, Adobe vulnerabilities won't be exploitable in alternative viewers.

This strategy mimics, to a degree, that of people who get a Mac because they're sick of the security problems in Windows. You're trying to fly under the radar. There are some differences. Mac switchers probably end up paying more and have fewer choices for software and (certainly) hardware. Alternate PDF viewers "should" be plug-and-play interchangeable with Adobe's viewer.

I wouldn't recommend launching right now into a full-blown switchover, but I would definitely start experimenting. Pick a group that uses PDFs in a typical way and switch them over, making sure to let them know what you're doing and that they should let you know of any problems. If there aren't any problems it's time to start expanding the tests. Maybe you can even try different viewers with different groups and see how they work out.

Or you can just sit around and wait for Adobe to fix the problems as they come up.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.