Adobe’s Terrible, Horrible, No Good, Very Bad Year

acrobat_bug Adobe Acrobat has been the target for some very nasty attacks by the bad guys this year. In March, all versions of Acrobat got a major update to close a hole that theoretically allowed a computer to be possessed just by hovering over a link to an evil PDF file.

It was one of the scariest bugs in recent memory but it didn’t stop there. New exploits emerged and new patches for Acrobat and Acrobat Reader were released a couple of weeks ago. (Here’s an article with more details.) If you are prompted to update your copy of Acrobat, you should get the update; if you’re not sure, you can manually check for updates by opening Acrobat and clicking on Help / Check for updates.

Adobe has also had to deal with a security hole in Flash Media Server – not a consumer product but still not the publicity it needed.

Lots of people got excited recently when a representative of security vendor F-Secure said that almost half of the targeted attacks in 2009 were directed at Acrobat Reader. Nasty stuff, if true. (Security vendors have occasionally shown the teensiest inclination to exaggerate security problems.)

Acrobat/Acrobat Reader is installed on almost every computer, especially office computers. Adobe is facing the same dilemma that Microsoft dealt with years ago – its products have to be updated on an ongoing basis or Adobe will take the blame when the bad guys take advantage of unforeseen bugs. Many people do not understand that the Acrobat updates are directed to security issues.

Adobe is going to adopt Microsoft’s strategy of releasing updates on a regular basis, starting with quarterly updates that will coincide with Microsoft’s “Patch Tuesday” updates on the second Tuesday of the month. Here’s an article with the details. Adobe products alert you from the lower right corner of the screen when updates are ready. Pay attention and install the Adobe updates!

Incidentally, the F-Secure rep suggested using a different PDF reader. I don’t have strong feelings about that although I don’t quite see why it’s necessary; I have good experiences with Acrobat for the most part. Security attacks against Windows and Acrobat can almost always be defeated by being careful, using common sense, and keeping things up to date.

But lots of people prefer the FoxIt reader, and I’m sure it’s swell. There are many more. For what it’s worth, here’s an overview of many of the best-known alternative PDF readers by an author who reluctantly finds that each of them has some problems or is less than a perfect substitute. FoxIt is singled out because it has had several security problems in the last year, including some that Symantec said were circulating in the wild. FoxIt is perfectly safe – if you install updates regularly. (Sigh.)