Skip to main content

F-Secure Says Stop Using Acrobat Reader

During the RSA Conference (2009) held this week, F-Secure's chief research officer Mikko Hypponen told the press on Tuesday that consumers should not use Adobe's Acrobat Reader, but rather switch to an alternate application to read PDF files. Those are strong words, especially when most consumers have Acrobat Reader installed and set as the default PDF application. However, according to Hypponen, 47-percent of the targeted attacks in 2009 have exploited holes in the program; six vulnerabilities have been discovered in Reader so far (SA29773) this year.

Hypponen went on to warn that Adobe Reader is the new Internet Explorer (6), referring to a time when security experts told consumers to switch to another browser due to huge security holes in Microsoft's browser. By getting rid of Reader, he said that consumers will reduce their risk of acquiring malicious code and infecting the PC. "That's my advice," Hypponen said. "I don't expect a Christmas card from Adobe."

PDF files can be especially dangerous to consumers and executives who are accustomed to receiving files in that format. Recipients of an infected PDF merely open the file via Acrobat Reader and activate the embedded malicious code (aka a "targeted attack"), opening a back door in the PC and allowing the attacker to steal sensitive data. Security flaws in the Adobe Acrobat Reader browser plugin also allows the attacker to come in and create a back door, termed as a "drive-by download," when the end user downloads a PDF from a "tainted" website.

Unfortunately, the problem is getting worse. According to Hypponen, F-Secure saw 128 "dangerous" drive-by attacks between Jan 1 and April 16, 2008. In the same time frame this year, F-Secure has seen 2,305 drive-by attacks. To alleviate the problem, Hypponen suggested that Adobe should make security a priority, and to take notes from Microsoft whom releases monthly security patches on a regular basis. Unfortunately, consumers aren't fully aware that Adobe's Acrobat Reader requires updating in a security sense, and often avoid installing crucial updates when the program alerts the end-user of a new patch.

For now, Hypponen suggests that consumers stop using Reader altogether, and locate a compatible program by heading to this website. Are these programs more secure? That's a good question, however, like Firefox and the other non-Internet Explorer browsers, they're not currently in the hacker-oriented spotlight. Still, come this holiday season, it will not be surprising to see Adobe sending Hypponen a Christmas card PDF to his email inbox.

  • padraig
    What's the best alternative to Acrobat?
    Reply
  • Horhe
    I'm using Foxit Reader. It's very much like Adobe Reader, only slightly faster and much smaller.
    Reply
  • haze4peace
    Not to mention a bloated piece of junk. I use Sumatra PDF, It's a no frills PDF reader. All in a little over 1 MB.
    Reply
  • shabodah
    I don't understand why we haven't moved away for the pdf format in the first place. It is only slightly less outdated than the fax machine. Adobe also has so much bloat in their software, it slows down the majority of business/office machines far more than it should. To think that anyone thinks reader or pdf formats are secure is just sad.
    Reply
  • skine
    According to Slashdot, he suggested readers from http://pdfreaders.org/.
    Reply
  • ravenware
    it slows down the majority of business/office machines far more than it should

    You need to upgrade your equipment.

    I have had speed problems when printing through slow ass print servers.

    Newer canon Image Runners and xerox color machine do not have the speed problems like they used to.

    I know what mean though, nothing like watching a 200MB PDF spool for an eon whilst trying to hit a deadline.
    Reply
  • JimmiG
    I just tried two alternatives:

    Okular: Required some kind of KDE compatibility layer that wouldn't install.

    SumatraPDF: Worked fine for viewing simpler documents. When I opened a very complex document (a vectorized map of all the city bus lines in my city). Rendering took a very long time, especially when zooming, and the program used nearly 1GB of RAM during the process (but gave it all back once the rendering was completed). Also some effects like shadows didn't seem to display properly or at all.

    Foxit: Faster than Acrobat Reader, used slightly less memory. Shadows are displayed properly. It wanted to install some spyware "toolbar" but gave the option to say no (at the expense of some features). I'll definitely switch to this on my Netbook, provided it's compatible with Firefox as a plugin. It struggles a bit with Acrobat Reader. Not sure about my desktop system - I've got a quad core CPU and RAM to spare, and Acrobat has never given me any problems.
    Reply
  • Shadow703793
    curnel_dI'm running foxit as well. It's not just a little faster, it's a TON faster compared to adobe's acrobat. It also has an add on extention to create PDF's as well, for a price. Foxitis just better.+1. Same here. Only reason I have the Adobe 3D installed is because of my CAD software.
    Reply
  • jsloan
    wow, switching right now! thx for the article!!!
    Reply
  • jsloan
    if adobe acrobat is insecure, what about adobe flash or shockwave, ect. they must be bigger holes! should we uninstall them too, or find alterantives?
    Reply