
Why does Adobe Reader need so many updates? - wave
http://www.reddit.com/r/geek/comments/ddh5p/the_iso_pdf_standard_hasnt_been_updated_since/c0zfics
======
tybris
When I read that comment I decided it was time to uninstall Adobe Reader and
found it was taking up 145MB of disk space. Many thoughts went through my
mind. Maybe there was whole virtual civilization in there and I just wiped it
out. Maybe Adobe Reader is skynet and I'm John Connor. Maybe it was time to
find a new PDF viewer.

My first try was Foxit. I found its short name promising. The installer
confused me with talks of Javascript and safe mode, did not look good. First
paper I opened crashed the program. *sigh. Sumatra was had the colourful charm
of the web in the 90s. I was almost ready to give up the resistance. I took a
deep breath and clicked the link of the installer. Before the next breath it
was installed and I was opening PDFs that looked just fine.

TL;DR remove adobe reader, install Sumatra

~~~
trotsky
Sumatra is a good application choice for safety, but be aware - the printing
support is either really bad or non functional depending on the document.

~~~
Hawramani
I moved to Sumatra PDF many moons ago and have never looked back. It is like
the Google Chrome of PDF viewers.

~~~
Silhouette
I'm honestly interested... Was that intended to be a subtle joke or a serious
analogy?

~~~
Hawramani
I was actually serious. When Chrome came out I left Firefox since Chrome was
so much faster on my PC. Same thing with Sumatra. I guess the analogy would
work well for those who had a similar experience with Chrome. :)

~~~
Silhouette
That much I guessed. I just wondered if you realised that Chrome itself has a
PDF viewer built-in these days, making Google Chrome the Google Chrome of PDF
readers. :-)

~~~
Hawramani
That certainly makes a good joke. :-) But no, I didn't have that in mind.

------
trotsky
Because Adobe has some kind of serious systemic code quality issue and they
get beat by exploit writers all the time. It doesn't help that their
applications are so popular and widely installed that they present a juicy
target. I refuse to have acrobat installed, and I'm super paranoid about where
I let flash run.

If you have flash and acrobat installed and let the plugins run anytime a site
requests them you're begging to be owned (and owned and owned).

~~~
norova
That last statement might be a tad exaggerated....

I've been using Flash and Adobe/Acrobat reader for years and have yet to be
"owned" through either channel, and I spend a _lot_ of time browsing the web.

~~~
trotsky
An honest question - to you or anyone who basically feels the same way:

What methods do you use to determine if you're running hostile code? How often
do you look? Do you check from another OS? Keep hashes of system files?

Let me expand on the theory that most malware hosts have absolutely no idea
(and not just the dumb ones):

Once installed many threats actively evade AV, personal firewalls, and code
signing requirements. Are you booting a livecd and checking hashes of the boot
block and boot chain against previously saved values? What about the hash of
your EPROMS?

I understand that sounds very paranoid - but advanced toolkits that attack the
BIOS or boot loader are widely available. Are they only for juicy targets?
TDL4 - an advanced threat that starts in the boot block and has used private
0-days - is engaged in the super spy thriller business of clickfraud. $10k
will buy you a kit from Israel that inserts similar code into the system BIOS
and is designed for non-techies to deploy.

Expecting to see increased resource usage? CPU, RAM, network speed are all far
outstripping most actual application needs and the resources needed for a
keylogger, afinity rewriter, ad inserter or similar are vanishingly small.

Expecting a signature hit in some security software? Authors check their own
code frequently - when signatures get deployed that catch them they simply
recompile and tweak until they're undetected again.

Expecting pop up ads, AV scareware, spamming activity or fraud alerts on your
credit card? Some threats are like that, yes, but shrinking. Just as or more
likely are threats that manipulate search results, add affiliate tags to big
ticket items, slip paid SEO links into blogs, steal your banking credentials
but decide you're too poor or in an inconvenient county or steal company
IP/plans/etc for chinese, russian, french, korean etc. competitors - the
impact of which may take years or never be identified.

Expecting unknown, suspicious or hidden processes? Hiding in plain sight is a
common and effective tactic. Can you tell the difference between a game
installed codec, a useful codec with legal clickstream collections installed
by a torrent downloader and a codec that was installed by exploit and rewrites
your network traffic? Looking at a process list how many are you positive were
running last month? Can you tell if skype is loading a dll or so that it
wasn't before?

Think you're an unlikely target? Odds are that's true. However, automated
tools can be deployed against thousands of targets and if only one or two have
something really juicy it was a worthwhile effort. Proprietary IP of almost
ever type has some value to someone be it term sheets, source code, M&A data,
business process, sales leads, P&L data etc. Could your SO think you're
cheating? Smartphone malware sold for 3000 yaun (~$450) supposedly marketed to
houswives was found running on 150,000 chinese phones - it real time tracks
your location, records audio, video and pictures regularly or on demand,
steals credentials and all email/im/sms traffic. If you're of no interest it's
possible your next door neighbor is, or his girlfriend, or someone who gets
coffee where you do.

20 years ago malware was made by hobbyists. 10 years ago malware was made by
small independent businessmen and specialty concerns. 5 years ago malware was
made by organized crime, corporate espionage and intelligence agencies. Today
malware is made by private organizations with hundreds of employees and
traditional office space, teams supporting major M&A lawyers, the FBI to
execute wiretapping warrants, defense contractors, ad networks, energy
companies, virtual currency resellers, intelligence services conducting broad
surveillance on foreign populations and security services conducting broad
surveillance on their own citizenry.

One reason you don't hear a lot about it is there are very few practical
solutions out there to be implemented. Microsoft, Google, Apple, Oracle and
Intel are all making inroads to various degrees but practically it is decidely
a losing game so far. For the time being their profit margins depend on people
not getting scared away. Law enforcement and Intelligence services that might
have warned against such threats in another era are by in large too busy
exploiting them.

I fully understand that this all sounds very tinfoil hat and extremist. All
the examples given are real and happening to very real people every day. The
threat model has radically changed - it may just take another 3-5 years for
everyone to understand the new rules.

~~~
brown9-2
Whats an "affinity rewriter"?

~~~
trotsky
sorry, I meant affiliate

~~~
PidGin128
I assumed it changed the processor affinity for a running process. :/

------
m0nastic
I am more aggravated by the fact that when Reader installs an update, it re-
adds an icon to my desktop.

For the life of me, I can't think of a single reason why I would ever want to
launch Reader by itself (and not by launching a PDF file).

~~~
gvb
Worse, it seems to require a full computer reboot. Every. Time. This implies
it is hooked so deeply into Windows that if Reader sneezes, Windows will get
an appendectomy.

~~~
estel
Out of interest, what Windows version are you running? Adobe hasn't asked me
to reboot in quite a long while.

~~~
gvb
Win 7, but, on reflection, I'm not being fair to Adobe. I just remembered I
have _Acrobat_ installed on that computer, not just Reader, and it is
undoubtedly Acrobat updates that are causing my reboot pain.

------
billybob
On two occasions, my wife received PDF monstrosities via her school. The first
time, I was astounded at the size of a PDF we had to download. When we opened
it, it contained a movie. I was dumbstruck.

The second time, I tried to open one with Foxit and was informed that I MUST
use Acrobat, which I dutifully installed. This PDF was actually a browsable
archive of OTHER PDFs.

We already have video files, and even streaming video. We already have zip
files. I want to beg Adobe to stop the madness, but if they've already put an
email server inside Reader, there is truly no hope.

~~~
westbywest
The bar was set at embedding a flight simulator as an easter egg, so Adobe
does still have room to grow here.

------
beaumartinez
Since Chrome started including a PDF plugin out-of-the-box I've started
opening PDFs with it and haven't looked back since.

~~~
antidaily
Yeah, just wish there was an easy way to download once in the viewer.

~~~
jmilloy
What? Like Ctrl-S?

~~~
spatulon
That re-downloads the file from the server, whereas the Adobe plugin keeps a
cache of the file and saves it straight to disk. Most of the time there's no
difference, but if the PDF came from a single-use URL provided by your bank to
view a statement, then there's no way to save the PDF file from the Chrome
viewer.

~~~
beaumartinez
That is certainly a big usability oversight (especially with large PDFs), I
remember Chrome used to do that with images as well.

However, if those PDFs are requested via HTTP, unless the bank gives
appropriate caching headers I think Chrome is _technically_ correct in re-
requesting them: they might have changed in the meantime. (I assume it does
the same with webpages when you save them.)

The fact that the bank gives you a URL you can only HTTP GET once does sound
like very bad implementation on their behalf. Perhaps it's a cookie issue, or
even a bug in Chrome itself?

~~~
ugh
I don’t consider that to be the correct behavior at all. When I want to save
something I want to save it exactly as displayed. Requesting the page again
could defeat the whole purpose of saving the page.

Here is one example: You opened the front page of some news site a few hours
ago and now want to save it. Since news sites change frequently you would save
a completely different page compared to what you actually wanted to save if
the page were re-requested when saving. This is destructive behavior! No
browser should do that.

(I just tested what Google Chrome actually does. It does not actually re-
request the page when saving.)

------
mikeryan
I've completely switched to Preview on the Mac and Foxit Reader on my PC and
haven't looked back.

~~~
Spikefu
Google Chrome has a built in (ok, a plug-in, but I think it's there by
default) pdf viewer. Works pretty well for me.

~~~
matsur
I actually view Chrome's PDF plugin as a complete abomination (at least on the
Mac), and go out of my way to nuke it. It's slow, and there is _no_ easy way
to open the PDF displayed in a PDF handling app (i.e. Preview) without
resorting to copy and pasting the URL into wget.

~~~
epochwolf
Cmd + S or using Safari

~~~
ugh
You can open PDFs displayed in Safari in Preview without saving them to the
disk. (There is also a button that puts the document in the Downloads folder.)
Chrome’s PDF viewer is better than Adobe’s plugin but worse than Safari’s PDF
viewer.

------
TorKlingberg
The last time I installed Foxit, it tried to install spyware on my computer.
At least with Adobe Reader all the crap comes from the same company.

Evince on Unbuntu has worked great for the past few years for me.

~~~
potatolicious
> _"At least with Adobe Reader all the crap comes from the same company."_

Actually, last time I updated Adobe Reader it came with a copy of McAfee
something or another...

That was when I nuked all traces of Reader off my system. Not only is their
software crappy, bloated, and slow, but it's also a crapware vector to boot.

If I were a dev on the Reader team, I'd be pretty depressed about my life -
millions of people cursing your name, eviscerating your product in forums and
boards everywhere, everyday... and they're right.

~~~
gsivil
The fact that millions of people are using their software and the fact that
they have a real problem to solve (to silence the haters) does not sound so
depressing to me. On the contrary many developers would be happy to have such
a problem

------
rdamico
This is one of the main reasons why we launched crocodoc.com, to do the same
thing to Adobe Acrobat that Gmail did to Outlook: Take a bloated offline
application, bring it online, make it easy to use, and make it accessible to
the masses.

When you think about some of the most common reasons why people use software
like Acrobat and Word (e.g. viewing a document, filling out & saving a PDF
form, commenting on a presentation with a group), these are all things that
should be easy to do online or on your mobile device. That's the vision we're
working towards at Crocodoc: view and collaborate on any document on any
device.

------
GiraffeNecktie
Ech. What a horribly inaccurate and confused post. Somehow the writer managed
to completely conflate Adobe Reader and Adobe Acrobat, two related but
different products. I'm not one to defend Adobe, but this misinformed raving
doesn't shed light on anything.

------
tptacek
The full PDF standard, for which Reader is the reference implementation and
things like Foxit serve but subsets, is also much larger than you think it is.

------
yason
It's amazing that Windows hasn't got even a tiny back-to-basics PDF viewer
included by itself. (Or maybe the more recent versions do?)

I've been using evince (or whatever it is that ships with Ubuntu this year)
for years and never even considered that there might be a case where one would
want to install a separate PDF viewer. Before that, xpdf was the standard
reader and it was enough, too. Maybe Linux desktop isn't that bad all
together.

~~~
simonbrown
Windows 7 has an XPS Viewer (Microsoft's attempt to replace PDF).

------
emehrkay
I left Acrobat when I left Windows :) I feel like it is one of the first
things my mom would download and install after a fresh Windows XP
format/install.

------
bluekeybox
This is why I enjoy using Mac OS X -- it has great PDF support built-in, so no
need for Adobe software.

------
Pinckney
I was seriously annoyed recently when my former employer's payroll software
required that I have Adobe's PDF plugin installed to download my W2. It wasn't
a .pdf link, no; it insisted on using the plugin before it would let me save a
copy.

------
nazgulnarsil
because adobe sucks. I hate them.

------
HaloZero
Has reddit been appearing on Hacker News far more frequently recently or is it
just a coincidence? I'm sure this is the 2nd or 3rd time I've seen it.

------
stretchwithme
This app refreshes too frequently. That one refreshes too infrequently. Then I
installed this other one and it refreshed just right. Then 3 Bears came in and
crushed my computer.

------
Luyt
Brrrr, Reddit still scares me. And these 'Adobe Flash Updates' when I start a
Windows machine don't reassure me either.

~~~
Qz
Ever since 10.1 the Flash updater is ridiculously fast and never asks me to
restart my system. Easily the best automatic update experience among the
various programs that constantly need to update themselves.

~~~
slackerIII
I think Chrome is still the winner here. I don't even notice when it upgrades
itself.

~~~
Qz
I'm still a Firefox devotee, so I don't have first-hand experience with
Chrome.

However, I'm not sure there's a good way for Flash to provide that kind of
seamless update experience in the same way. It's not an application in itself,
so it can't check for updates with the consistency that a browser can, and
when it does run it's always to immediately execute whatever flash content was
requested, so there's less leeway for it to start updating itself in the
background and potentially impact performance. Currently it pops up a window
on startup every once in a while (I skipped it the first time and it didn't
bug me again for maybe 2 weeks) and its maybe 2 clicks and 20 seconds of
downloading. It's not Chrome-level seamless, but it's pretty damn good and I
was surprised by how good it was compared to Acrobat and every other updater
I've used in the past.

~~~
drivebyacct2
Flash isn't an application? Sure, it's primary usage is as a plugin, but you
can be sure it's an application too. And even if there aren't EXEs anywhere
(there are), why wouldn't they bundle one specifically for auto-updates. The
rest of the industry needs to get on board with auto updates. Or Windows and
Mac need to work on some sort of package management.

~~~
Qz
I mean application from the user perspective, i.e. you don't go: "Hey I'll
start up Flash and do something with it." Other things start Flash, the user
never just starts Flash on their own.

