Because most alternative PDF renderers have been worse? Charlie Miller did an analysis once, fuzzing various engines, and Adobe's actually came out on top. (Combine this then with personal experience tangentially gained during JailbreakMe 2.0 and 3.0, and I now refuse to allow Apple's PDF renderer to ever open a file on my system, and always make certain to have Adobe Reader installed on my Macs.)
There's a difference between theoretical and practical security, though. On Windows everyone targets Adobe's products, because everyone uses them, thus they present the biggest attack surface. So while e.g. Acrobat may be more secure in theory, in practice it's the least secure of all.
If OS X ships with a built-in PDF viewer then it probably presents the bigger attack surface, thus could be less secure than Adobe's products in that case. But as an individual (non-enterprise) user, statistically you'd still be better off with some niche third-party offering.
Most of the "niche" renderers use the same codebase (or at best only rely on large common libraries like FreeType); the JailbreakMe 2/3 exploits, for example, were able to affect almost all of them (its payload simply assumed it was trapped in MobileSafari and wanted root on an iPhone, but on systems without codesign I believe it could have affected just about everyone fairly generally). The thing that Adobe has going for it is that when there is a bug, they tend to fix it, they fix it correctly (JailbreakMe 3 shouldn't have been possible), and the fix is pushed quickly to users via automatic update prompts.
> Charlie Miller did an analysis once, fuzzing various engines, and Adobe's actually came out on top
The CanSecWest slides I found had him fuzzing standalone "PDF applications". This whole problem is because of handing random stuff from the internet to third party native code! Nowadays the browsers are in a class of their own wrt security.
Damn... So either I stick with an even less common reader or I go back to Acrobat, they are able to fix faster. On the other hand I didn't install the Foxit Reader Plugin. I got the habit to not install PDF Reader plugins because they make browser freeze and crash even without vulnerabilities...
If you were an enterprising hacker with a lot of time on his/her hands, I imagine Adobe Reader and Flash Player would be a great place to focus on for selling software exploits to the US Government. I hear they are paying nicely these days for verifiable not-yet-released in the wild exploits.
The US government would have to pay each independent discoverer of the not-yet-released exploit, no? If they said 'no thanks, we've already got that one,' the second discoverer could just turn around and disclose it, making the original purchase a lot less valuable.
What, besides their own sense of ethics, stops the original exploit discoverer from selling the exploit to someone else, who will then resell it back to the US government? That seems like a lot easier way to get more money from your exploit than, say, developing contacts with a second government.
The only way I can think of for the US government to effectively prevent you from reselling your exploits is to monitor your communications and finances for anything shady - whenever the exploit is independently discovered, they would have to do some research into your behavior to make sure it was actually independently discovered. Hell, why wouldn't they do this monitoring all along to make sure you're not trying to sell it to a foreign government?
I'm probably just paranoid, but being one of the few people who know something the US government would like to keep a secret doesn't sound like a good position to be in. I'd want to be rather well paid.
In the U.S., the National Security Agency and other branches of the U.S. military, law enforcement and intelligence agencies are among the biggest buyers of vulnerabilities. But there are other buyers, including any party with an interest in being able to penetrate an adversary's computer network.
You don't (for the most part). You'd actually sell it to one of about a dozen small firms around the beltway who purchase vulnerabilities (who in turn either license "exploit-packs" to the government, or who work on specific tactical campaigns using said exploits).
I've always wondered how one would find a contact within such a community. I know there's an old joke about looking for a job at the NSA: "The NSA offers exciting and interesting work for recent college graduates in mathematics and computer science. Pick up the phone, call your mom, and ask for an application."