I use a lot of Adobe products. Lightroom, Photoshop, Premiere and Acrobat to name some. So, when blogs started buzzing about an Acrobat vulnerability, they grabbed my attention. And, when my distinguished colleague Larry Seltzer at eWeek.com wrote that “It May Be Time to Abandon Adobe”, I began to wonder if the sky was falling.
Adobe deserves a Colbert-style wag of the finger and I can understand why Seltzer is frustrated by the delay in obtaining a patch. But his suggestion that companies consider dumping Adobe in favour of other third-party pdf readers — that he himself admits also have a track record of security issues — just doesn’t make sense.
Let’s take a look at what happened.
In February, a vulnerability in several versions of Acrobat was discovered. In summary, it is possible to manipulate a pdf document so that your system becomes infected when you open it or under certain circumstances, when your computer indexes it (more on that later).
Things appear to have been quiet until Feb 19th, when various security researchers and vulnerability databases picked it up. Adobe released an advisory the same day and updated it on Feb 24th. The advisory stated that a patch will be available on March 11th. They worked with antivirus vendors to protect customers, released a patch and have information on their blog.
Yes, Adobe had a security defect in their code and took a few weeks to release a patch. Yes they need to be more careful and respond faster. But that’s only part of the story.
Aside from the overly sensationalistic and unbalanced journalism, much of the buzz had to do with the fact that, as Stevens points out in his blog post, infection can occur, “…on a Windows XP SP2 machine with Windows Indexing Services started and Adobe Acrobat Reader 9.0 installed…And the bug happens in a process running with Local System rights!” Nasty indeed, but that is only partially Adobe’s fault.
No process interacting with user data, including an indexing service, should be running with system privileges. It’s the type of stupidity that should cause first year computer science students — and experienced IT writers — to point their finger and laugh. No process indexing a user’s files should have the right to change operating system files. Ideally, the process also should not be able to write to any of the files it is indexing. It doesn’t need those privileges to do the job and it shouldn’t have them. It’s called the Principle of Least Privilege. If the operating system was properly designed, the impact of this code defect would have been significantly decreased.
If we really want to see fewer security vulnerabilities, we need to start better architecting software and operating systems and building-in security, rather than considering it as an afterthought. We need to design systems to tolerate code mistakes without breaching security. It can be done but software developers won’t do it until the market demands it.
Or, I guess you could just take Seltzer’s advice. Dump Adobe, and move to Foxit. That product hasn’t had a security vulnerability announced in two days. And look, it’s the same issue as Adobe. Or take Seltzer’s advice and try Sumatra PDF, an open source solution that has about 200 open defects, some of which are from 2007.
Adobe may not be perfect and the company could have reacted faster. But put away the pitch forks. Or, at least, aim them in the right direction.
kingthorin
There’s an important piece missing from this article. Yes Adobe has released an update for version 9 of Reader which corrects this issue but how many people are actually using 9?
http://blog.threatfire.com/2009/03/pdf-reader-exploitation-2009.html
Claims the following stats:
Reader v9 less than 1%
Reader v8 48%
Reader v7 50%
Now which should Adobe have put their effort in to patching first?
I tried to find “official” numbers but was unable. The numbers above still provide perspective though.
Eric Jacksch
Interesting point, but since Adobe Reader is free, it’s not unreasonable to expect people to upgraded to the latest version.
Johnathon
I don’t understand why people still use Adobe Reader? PDF’s are an ISO standard and there are so many smaller, lighter, faster and feature rich alternatives (FoxitPDF reader) for example.
Once I went Foxit, I never went back.
-JM
Evolving Squid
Here’s why Johnathon (quote from another message board):
>>User 2: The PDF requires a password? EDIT: Strange, the
>>PDF reader on my linux machine demands a password, but it
>>works fine in Windows… nevermind 😛
>
>User 1: Should only require a password if you’re trying
>to alter the PDF settings. Should open clean with a
>properly compatible reader.
That’s right… some open source reader couldn’t handle a simple v7 PDF that was locked against making changes.
And although there is a basic PDF standard that is ISO, the Adobe suite does a lot more beyond just making little files for people to read.
I think that in time, third party applications for PDF will come along that are feature-rich and of commercial quality… but we’re not there yet.
Foxit also has (and has had) a number of security vulnerabilities: http://secunia.com/advisories/search/?search=Foxit the most important of which is this one, updated this morning: http://secunia.com/advisories/34036/
Didier Stevens
A valid reason to switch applications (e.g. Adobe -> Foxit) because of security, is not because the other application has a better security design, but because the other application is much less targeted. But this is a short term tactic.
Didier Stevens
@Jonathon:
>I don’t understand why people still use Adobe Reader? PDF’s are
> an ISO standard and there are so many smaller, lighter, faster
> and feature rich alternatives (FoxitPDF reader) for example.
Because most computer users don’t understand the inner workings of computers. They don’t understand the application document paradigm. If they want to open a document, they double-click it. They don’t know that this action will launch an application (Acrobat) that will then open the document (PDF).
They just think: the computer opened the document.
And if most computer users are not aware of the application & document paradigm, they certainly wouldn’t understand switching applications!
BTW, I’m not advocating that users should understand the inner workings op computers.