

Adobe Reader is world's most-exploited app - fogus
http://www.theregister.co.uk/2010/03/09/adobe_reader_attacks/

======
wizard_2
Half of my day job is supporting about 40 users in our companies New York
office. The last 4 infections that I've been able to look into involved adobe
reader in one form or another. I've only seen one malicious pdf file, most of
the time it's JavaScript that loads reader and delivers a payload. I haven't
quite figured out that part yet, and frankly I don't care enough. I'm
satisfied knowing the cause.

I keep reader up to date but often these exploits hit either right after an
update as been released so the patch hasn't been applied, or there just isn't
a patch yet. It's almost enough to make me switch to foxit. I just have to do
the research to see if it supports the advanced features (forms, digital
signatures, encrypted files) that people are using.

------
tptacek
Bear in mind that the primary reason Reader is the "world's most exploited
app" (it probably isn't, but it's one of them) is that it's ubiquitous. It's
one of a small group of apps where a break can hand you tens of millions of
machines.

Very few apps (I actually can't name one) with that market footprint fare
better than Reader is now. Microsoft has poured supernatural amounts of money
into Internet Explorer, and they're still getting in the paper over IE zero
day.

------
tsally
Because who could have predicted allowing Javascript in a document format was
a bad idea.

~~~
windsurfer
Imagine what would happen if Firefox rendered PDFs natively.

~~~
ZeroGravitas
I'm sure I read that Chrome was adding this feature. I heard about it just
after the Google-China hacking thing which was apparently partly due to Adobe
Reader.

~~~
tsally
It wasn't. iDefense retracted that part of their report.

------
CoryMathews
I Still never understood why Adobe thinks reader has to do so much. It just
has to show a paper. If they would have stuck with that all would have been
fine. But they will always be Adobe..

~~~
windsurfer
Corporate stuff! They want Reader to be ubiquitous so that the competition
can't get in.

Reader doesn't just have to show a paper in an office. It could have a form.
It could have a CAD drawing. It could do all sorts of magic that a business
can come to rely on.

Imagine how much simpler it is to send a PDF to a client to sign and "submit"
as opposed to managing faxes.

~~~
CoryMathews
Then they should put out a reader lite. which would only allow basic
functions. Since most of the non corporate world use nothing but these.

~~~
windsurfer
That would be admitting there is something wrong with their program, and it
would increase the risk of people not being able to read the format. You would
end up with two different PDF 'standards' and it wouldn't help anything.

------
rythie
A lot of people prefer to receiving PDFs because they are safer than MS Office
documents. Maybe not eh?

~~~
chaosprophet
PDF's are not inherently insecure. It's just that Adobe Reader is crap (and
any sane person would have switched to a better option a long time ago).

~~~
ronnier
Can you list one of those options?

~~~
CrLf
Foxit Reader if you are on Windows, Preview if you're on a Mac, evince if
you're on Linux.

I personally do not use Adobe Reader on any platform. I found the alternatives
to be both leaner and not lacking any relevant features.

~~~
tesseract
Lately Foxit has been feeling even slower and more bloated than the current
Adobe Reader, at least on my setup. I'm pretty happy with SumatraPDF, although
it is not terribly featureful so I have Adobe Reader installed as well.

