Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Adobe Chided For Insecure Acrobat Reader

kdawson posted more than 5 years ago | from the old-skool-distribution dept.

Security 179

The Register covers security firm Secunia calling out Adobe for its insecure distribution practices with regard to Adobe Reader. (Here is Secunia's note.) The accusation is that the way Adobe provides Reader extends the software's window of vulnerability once an exploit has begun to circulate. Version 9.1 of Reader, which is what you get when you visit the official download site, contains 10 vulnerabilities that were patched by later releases. "Adobe Systems has been taken to task for offering outdated software on its downloads page that contains dozens of security vulnerabilities, several of which are already being exploited in the wild... Visitors who obtain Adobe Reader from the company's official downloads page will find that it installs version 9.1 of the program on their computers, even though the most recent version was 9.1.2 at time of writing. That could put users at considerable peril given the number of vulnerabilities fixed in the two iterations that have come since 9.1, complains Secunia..."

Sorry! There are no comments related to the filter you selected.

third! (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28779431)

third!

What? (5, Funny)

Anonymous Coward | more than 5 years ago | (#28779447)

There's a version without vulnerabilities?

Re:What? (4, Funny)

Jurily (900488) | more than 5 years ago | (#28779821)

There's a version without vulnerabilities?

Yeah, the experimental branch called Foxit Reader. I heard it's a lot faster, too.

Re:What? (0)

Anonymous Coward | more than 5 years ago | (#28779915)

Kaan [kaankilic.com] | [maktes.com.tr] | Maki-Naci [maki-naci.com] | Peynirci Salih [peynircisalih.com]

Re:What? (3, Funny)

Kozz (7764) | more than 5 years ago | (#28780289)

Gesundheit.

Hey Obama, what's the rush on healthcare? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28779965)

http://blog.newsweek.com/blogs/thegaggle/archive/2009/07/21/romney-on-obama-s-push-for-health-reform-slow-down.aspx [newsweek.com]

I'm afraid I have to agree with Romney on this one. Such an important piece of legislation that is going to fundamentally alter such a large chunk of the economy deserves a thorough vetting, and some real leadership from Obama to stick to his campaign promise of bipartisan support and changing the tone in Washington, not twisting arms and cramming through a bill that he admittedly isn't even familiar with. America needs real leadership and real solutions, not another trillion-dollar entitlement with unfunded mandates for the states. We already have THAT system. It's called MedicAid.

Huh? (4, Insightful)

CarpetShark (865376) | more than 5 years ago | (#28779449)

Just about every binary distribution on windows is doing something similar these days. Short of someone building a proper, open, distributed, secure package manager for windows, they're probably doing the best they can by having updates at all. It's better than having to go check the webpage for corrections.

That said, if this kind of complaint becomes more common, and all software is seen as flawed in this regard, then it'll be a great push towards proper package management on windows.

Re:Huh? (2, Insightful)

moon3 (1530265) | more than 5 years ago | (#28779489)

proper, open, distributed, secure package manager for windows

I still very much prefer the Internet to be the download system for Windows applications, where authors have control and choice over their distribution channels.

Re:Huh? (1)

compro01 (777531) | more than 5 years ago | (#28779531)

His suggestion by no means precludes your desire. Take APT+synaptic (or whatever GUI frontent you like, or just the command line if you want.), for instance. nice centralized way to get and update programs. But if you want to host .deb files on your own site and not deal with repositories, that works fine too.

Re:Huh? (5, Interesting)

hairyfeet (841228) | more than 5 years ago | (#28779801)

As a PC repairman I hate to break the news to y'all, but home users never update the damned PC. you could give them Apt and it would be just one more update they don't actually use. I have had machine come across my desk with 4+ year old copies of Norton AV (expired of course) and not a single update applied since it left the factory. That is just SOP for a good 90% of home users.

That is why my customers love me so much, because my motto is "do the thinking so they don't have to". So not only do I use Autopatcher [autopatcher.com] to install all the current updates and have the latest service packs as well as set autoupdate for the OS, but I install Foxit [foxitsoftware.com] set to autoupdate, have Spybot [safer-networking.org] scheduled to autoupdate and scan, install Comodo AV/Firewall [comodo.com] and have it set to scan on the customers schedule, install Firefox [mozilla.com] and set it to be the default browser, install the latest Flash and Shockwave and Java as well as Klite Mega codec pack so I don't have to worry about them downloading dodgy codecs, and finally install VLC Player [videolan.org] which autoupdates and have it set as default video player.

While I don't get the return business of those that just reinstall and hand it to the customer to bone again I make up for that in referrals. But thinking something like Apt would be a silver bullet for home users is strictly a fantasy. First it would have to be run by MSFT to incorporate the Windows patches as well as third party updates, which would lead to vendors screaming and probably an antitrust investigation and I'm sure the EU would find a reason to have a shitfit, but then MSFT would get to deal with 3 or 4 years worth of lawsuits when they refuse to "provide" the myriad of programs that insist on installing toolbars or unrelated programs, like Java (toolbar) or iTunes (unrelated Safari and Quicktime).

So while having a central repository works for Linux, it simply would never work for Windows. Between trialware, crapware, toolbar installers, and unrelated installers you would either make it a one stop shop for crap which means the users would never allow it to run, or MSFT would spend the next decade in court for refusing to allow crapware into the repository. So sorry, it just wouldn't work.

Re:Huh? (0)

TheP4st (1164315) | more than 5 years ago | (#28779875)

MSFT would spend the next decade in court for refusing to allow crapware into the repository. So sorry, it just wouldn't work.

Must.. resist... urge... to... make... joke... about... MS.. and.. courts... and... crapware

Re:Huh? (4, Interesting)

jgrahn (181062) | more than 5 years ago | (#28779933)

But thinking something like Apt would be a silver bullet for home users is strictly a fantasy. First it would have to be run by MSFT to incorporate the Windows patches as well as third party updates, which would lead to vendors screaming and probably an antitrust investigation and I'm sure the EU would find a reason to have a shitfit, but then MSFT would get to deal with 3 or 4 years worth of lawsuits when they refuse to "provide" the myriad of programs that insist on installing toolbars or unrelated programs, like Java (toolbar) or iTunes (unrelated Safari and Quicktime).

So while having a central repository works for Linux, it simply would never work for Windows. Between trialware, crapware, toolbar installers, and unrelated installers you would either make it a one stop shop for crap which means the users would never allow it to run, or MSFT would spend the next decade in court for refusing to allow crapware into the repository. So sorry, it just wouldn't work.

How about a standard place in Windows where a newly installed program could register itself? Like, "I am FooBar version 69, and updates to me will be available at http://foobar.org/blah [foobar.org] and signed with this public key". Then you could have a machine-global Update Everything button go through them and do updates as needed. Doesn't solve dependency trackning though.

(Not that I care -- it's the Windows users' problems, not mine.)

Re:Huh? (2, Insightful)

Opportunist (166417) | more than 5 years ago | (#28780045)

I try to refrain from thinking too hard how to abuse this ... too late.

Re:Huh? (4, Insightful)

commodore64_love (1445365) | more than 5 years ago | (#28780227)

"Hello. I am SpyBot version 42, and updates to me will be available at http://nigeriaisafunplacetosteal.com/ [nigeriaisa...osteal.com] and signed with this public key."

There has to be some oversight from Microsoft to prevent this from happening, and we know from Apple's iPhone approval/disapproval process how well that does Not work.

Re:Huh? (0)

Anonymous Coward | more than 5 years ago | (#28780337)

Could probably just put an extra key, subkeys, and set of values in the windows registry, and have the existing windows update site call those...

HKLM\Software\Updates\%PROGRAM_NAME_OR_GUID%

String Value - UpdateURL

DWORD Value - AppVersion

Sure, you could say that a malicious program could tamper with this, but really, malicious programs tamper with the registry, and the ability for windows and antivirus programs to update ALREADY...

Re:Huh? (1, Informative)

Gnavpot (708731) | more than 5 years ago | (#28779997)

But thinking something like Apt would be a silver bullet for home users is strictly a fantasy. First it would have to be run by MSFT to incorporate the Windows patches as well as third party updates, which would lead to vendors screaming and probably an antitrust investigation
[...]
So while having a central repository works for Linux, it simply would never work for Windows.

It is obvious that your statement is based on a lack of knowledge of apt.

Apt does not depend on a central repository. Yes, there is a central repository for the distribution's official packages. No, you are not limited to using this repository.

Any software vendor can set up an apt repository, and you can add that repository to /etc/apt/sources.list including keys for signed packages.

In the Windows version, this would mean that an installer for a third-party program could add keys and download information to an update service running on the local PC. MS would not need to be involved at all - but they would need to make an updating routine with an open interface.

Re:Huh? (1)

commodore64_love (1445365) | more than 5 years ago | (#28780181)

>>>As a PC repairman I hate to break the news to y'all, but home users never update the damned PC. you could give them Apt and it would be just one more update they don't actually use.

I don't update my PC.

It's because I no longer trust y'all.

Too many times I've installed updates from Mickeysoft or Exploder or various Firepox Addons (think noscript), only to discover the latest update was, itself, broken. i.e. My computer stopped doing what it used to do. Why would I want to accept revisions of software that's going to make my machine stop working? "If it ain't broke, don't fix it" has become my philosophy because I'm tired of getting updates that break things.

Aside-

There was a time when we didn't have the internet and software shipped on floppies or CDs, so programmers were expected to get the software working 100% out the door. No second chances. i.e. The same constraints we hardware engineers have to deal with - get it right out the door.

Re:Huh? (1)

commodore64_love (1445365) | more than 5 years ago | (#28780203)

Package managers? APT+synaptic?

I wish I knew what ye were talking about. (shrug). I don't see anything wrong with the current model of having each program "phone home" and check for updates when you run it.

Re:Huh? (5, Insightful)

DavidRawling (864446) | more than 5 years ago | (#28779495)

The thing is, they (Secunia) have a point. Why are Adobe offering the old version, and requiring updates post-installation, for a version that is known to have serious issues.

Let's face it, people install it because they want to view the PDF file they've just received, or downloaded. They're not going to be conscientious about updates because they just downloaded it and they expect it to be up to date. Let's not forget that plugins have pretty much always worked that way (eg Flash).

Re:Huh? (5, Insightful)

MichaelSmith (789609) | more than 5 years ago | (#28779537)

If Adobe didn't want to continually change the released version they could change the installer once to check for new versions.

Re:Huh? (2, Interesting)

bheer (633842) | more than 5 years ago | (#28779851)

Indeed, that is exactly what the IE7 and IE8 installers do. So even if someone burnt an old version of IE7/8 to CD and distributed it with a magazine, anyone installing it with a net connection would automatically get updates.

Re:Huh? (1)

Threni (635302) | more than 5 years ago | (#28780099)

> If Adobe didn't want to continually change the released version

How many versions are they releasing?

Never mind the installer - why doesn't the program itself check each time it's run, like Firefox?

Indeed (1)

siloko (1133863) | more than 5 years ago | (#28779611)

Why are Adobe offering the old versions?

Absolutely! I'm not html guru but surely it shouldn't take a company with Adobe's technical knowhow to update an "a href" tag . . . in fact, come to think of it, I would do it myself for a small fee . . .

Re:Indeed (1)

commodore64_love (1445365) | more than 5 years ago | (#28780249)

What technical expertise? Adobe apparently has none.

Kinda like the place I work (government).

Re:Huh? (5, Insightful)

rysiek (1328591) | more than 5 years ago | (#28779497)

The problem is not that there is no package manager, automagically updating the packages; the problem is, on Adobe Reader's official download page there is an outdated version featured. So everybody that get's directed to that page through google search or whatever, dowanloads and installs an unpatched, vulnerable and exploitable version. Cheers

Re:Huh? (0)

Anonymous Coward | more than 5 years ago | (#28779507)

Just about every binary distribution on windows is doing something similar these days.

Um, no. The issue here is that the download available from Adobe's web site is not the most recent released version of Adobe reader (e.g. you still download 9.1.0 even though 9.1.2 has already been released). I really can't think of any other software where this is the case. If you download Firefox you get version 3.5.1 not 3.5.0, if you download Java you get version 6u14 not the original release of Java 6.

Re:Huh? (1)

CarpetShark (865376) | more than 5 years ago | (#28779703)

I really can't think of any other software where this is the case.

I've seen plenty. It's also what happens just about every time you install from a retail package. And that's the GOOD software that has updates at all.

Re:Huh? (0)

Anonymous Coward | more than 5 years ago | (#28779737)

It's also what happens just about every time you install from a retail package

Only if from a disk, where the media it's on is the issue. There simply is no excuse for not doing it when distribution is via the internet.

Re:Huh? (4, Interesting)

bheer (633842) | more than 5 years ago | (#28779547)

Indeed. And given that Windows Update already exists, and given that Microsoft is antitrust-law bound to allow everyone equal access to Windows, why not open up Windows Update to allow it to update all your apps? Microsoft Update (an extension to Windows Update) already updates things like Office, .net, silverlight, etc. So why not publish a white paper on how to get your app included in Windows Update in a fair, non-discriminatory manner?

(Alternatively, folk could band around the open-source GoogleUpdate backend. These days it doesn't even run all the time [blogspot.com] .)

I for one would love to see the end of lots of different *update.exe apps running on the average user's computer.

Re:Huh? (2, Interesting)

jonwil (467024) | more than 5 years ago | (#28779639)

I have the following updaters running on my system:
Miranda IM (built into the program and just opens the URL to the new full-installer in the default browser)
AVG (built into the resident parts of the program)
Acrobat Reader Updater
Sun Java Updater
Microsoft Update (set to not download automatically since I prefer to have choice in which updates I install)
various games (most of which check for updates when I connect to the online bit)

Conversely, there are programs I wish DID have automatic updaters:
SeaMonkey (my copy of 1.1.x doesn't seem to have one)
Nvidia Display Drivers (the only way to go seems to be manual download or via some widget that SM1.1.x doesn't support)

Re:Huh? (1)

bheer (633842) | more than 5 years ago | (#28779687)

Windows Update has been distributing display drivers for some time, but the driver provider has to have a deal with Microsoft. It's really convenient - on Windows 7, WDDM display driver updates don't even require a restart. I wish more driver manufacturers made sure their product was distributable via WU. An open API to WU would make things so much simpler.

Re:Huh? (1)

mlts (1038732) | more than 5 years ago | (#28779669)

Maybe Microsoft could have this as part of the Windows Logo requirement. This could be implemented in two ways:

The first is actively hosting all updates. The problem with this is that it would require very large amounts of bandwidth, so there would have to be a revenue stream to Microsoft for them to be able to do this and remain profitable.

The second is having a pointer to the vendor's download URLs for a file. This is a lot easier, but still requires some added infrastructure and bandwidth. However, third party utilities like Secunia's PSI are able to hunt down and point out outdated/insecure versions, so it wouldn't be too onerous for a central switchboard for application vendors to have one place for update checking. Acresso (formerly Macrovision) has this functionality in their FLEXnet Connect product.

Re:Huh? (1)

CarpetShark (865376) | more than 5 years ago | (#28779717)

(Alternatively, folk could band around the open-source GoogleUpdate backend. These days it doesn't even run all the time.)

I didn't know this had been opened up. Thanks for the pointer :)

Re:Huh? (0)

Runaway1956 (1322357) | more than 5 years ago | (#28779553)

sudo apt-get remove windows

Re:Huh? (0)

Anonymous Coward | more than 5 years ago | (#28779741)

LOL! Good one Runaway1956! Laughed until I cried.

Re:Huh? (1)

mrsurb (1484303) | more than 5 years ago | (#28779761)

sudo apt-get purge windows

There - fixed that for you. Just in case.

Re:Huh? (0)

Anonymous Coward | more than 5 years ago | (#28779927)

apt-get fucked

Re:Huh? (1)

jonwil (467024) | more than 5 years ago | (#28779587)

Even if Windows DID have a proper package manager (from Microsoft or anyone else), many companies would not want to use it since it takes away control over certain things. For example, Norton checks your serial number and details against the database of valid licenses before it will download any updates (so pirates cant crack it to get it to pull virus updates that they havent paid for) The updater for Apple products always tries to convince you to install the products you dont have (if all you have is Quick Time, it tries to push you to install iTunes and Safari as well, which is why I dont have Quick Time on any PC I own)

Re:Huh? (0)

Anonymous Coward | more than 5 years ago | (#28779603)

If I were to download a popular linux distribution, will the CD install the latest patches; or is it better to install your packages from the repositories rather than a disc?

Re:Huh? (2, Informative)

Spit (23158) | more than 5 years ago | (#28779637)

Ubuntu installer will download all the patches before rebooting to the installed system.

Re:Huh? (2, Interesting)

Spit (23158) | more than 5 years ago | (#28779617)

All they can? Are you fucking serious? How about not coding such shitty software in the first place, for starters.

Re:Huh? (1)

Opportunist (166417) | more than 5 years ago | (#28780073)

Easier said than done. You're not in OSS land here, you're not dealing with a program designed, envisioned and projected by programmers. You have a beancounter and a manager who want that program on the street before their quarter report is due.

It's not that the shipping date is when it's done. It's done when the shipping date rolls over.

Re:Huh? (1)

BumbaCLot (472046) | more than 5 years ago | (#28780281)

I think you completely missed the point.
Adobe is a huge company, with tons of resources, and they are shipping TODAY an insecure version that is the cause of most zombied / spyware infested computers in the past few months.
All they have to do is put the patched version on their freaking download page!

Adobe Reader has always been bad for this. (2, Interesting)

BikeHelmet (1437881) | more than 5 years ago | (#28779467)

Adobe Reader has always been bad for this - even back when it was called Acrobat Reader.

Aside from having dozens of different versions installed - whatever version you installed was always out of date, unless you started it up(which took ages), and clicked the Check for Updates button. Then it'd tell you you're out of date. You download an update, it restarts, and then you do it again... and it downloads another update. It installs the update, and restarts, and then you do it a third time to check for another update.

After all, jumping from 8.1 to 8.1.3 is much too large of an increment. Each version must be applied incrementally, and it's completely illogical to download every required update at the same time.

Ahh... the fond memories! It takes me right back. Now I remember their artificially slow installers, that did nothing for minutes on end just because of your OS. Such pleasant times!

Re:Adobe Reader has always been bad for this. (2, Interesting)

bheer (633842) | more than 5 years ago | (#28779555)

That's bothered the heck out of me too! It's almost like Adobe doesn't have a clue about doing proper updates. They should really pay some guys from Mozilla to come and teach 'em. Say what you like about Firefox, it was the first Windows product I've used which devoted a good deal of engineering thought to making updates easy.

Re:Adobe Reader has always been bad for this. (1)

pedestrian crossing (802349) | more than 5 years ago | (#28779727)

Say what you like about Firefox, it was the first Windows product I've used which devoted a good deal of engineering thought to making updates easy.

Not enough, apparently.

Where I work, they are about to remove the 'fox from all systems because updates make it the default browser, even if it wasn't the previous default. There is currently no way to prevent that from happening.

Not exactly enterprise-friendly behavior...

Re:Adobe Reader has always been bad for this. (1)

bheer (633842) | more than 5 years ago | (#28779811)

Does it do that? I use Firefox at work and it auto-updates, but IE7 is my default (for intranet apps). But yes, it is enterprise unfriendly - there's also the small matter of *still* not providing official MSIs and an offical admin/customisation kit.

Still, Firefox's update is amazing for home users. You can be reasonably sure that a majority of home users will be running the latest version within days, thanks to its silent, no-fuss approach to updating. And it works without a ridiculous FirefoxUpdate.exe running constantly in the background.

Re:Adobe Reader has always been bad for this. (1)

pedestrian crossing (802349) | more than 5 years ago | (#28779873)

Does it do that? I use Firefox at work and it auto-updates, but IE7 is my default (for intranet apps).

It does if you push the update. Unfortunately, where I work they can't allow auto-updates. Again, very enterprise unfriendly...

Re:Adobe Reader has always been bad for this. (1)

Nerdfest (867930) | more than 5 years ago | (#28779799)

They seem to have had Windows developers in to teach them about writing secure software.

Re:Adobe Reader has always been bad for this. (1)

bheer (633842) | more than 5 years ago | (#28779833)

What's funny is that things would be better if that was true. An auto-updated Windows install is pretty secure out of the box these days. Microsoft's SDLC (Secure Development Lifecycle) seems to be showing results -- haven't you noticed how the attack surface of choice on Win32 tends to be apps/plugins these days? (or unpatched Windows installations).

Adobe meanwhile looks like it's dev practices are stuck in 1999.

Re:Adobe Reader has always been bad for this. (1)

jonadab (583620) | more than 5 years ago | (#28779847)

> Say what you like about Firefox, it was the first Windows product I've used
> which devoted a good deal of engineering thought to making updates easy.

And they got it wrong. Badly wrong.

Firefox updates don't happen, EVER, unless someone logs into the computer under a privileged administrative account. On a normal desktop computer, that shouldn't need to happen on a regular basis.

Assuming the administrator who does the install doesn't uncheck the auto-update checkbox, the updates should happen automatically, in the background, whether there's even a user logged in or not, *completely* irrespective of what privileges the logged-in user does or doesn't have.

Granted, Symantec and Microsoft are barely better at this. They theoretically have their updates set up to happen automatically in the background, but then about every third update or so there's one that won't, until an administrator logs in and does the update manually. In Microsoft's case, this is usually because the update wants to prompt the user to agree to yet another pointless EULA. I have no idea what Symantec's excuse is.

Re:Adobe Reader has always been bad for this. (1)

bheer (633842) | more than 5 years ago | (#28779903)

I agree it's not perfect. But for the most common use case -- home users who use XP/Vista in the 'usual way' -- it got things right.

I can actually appreciate how Google Chrome installs into %appdata% to avoid requiring admin access to auto-update. But somehow installing apps to %appdata% feels so ... wrong.

Re:Adobe Reader has always been bad for this. (1)

lorenlal (164133) | more than 5 years ago | (#28780019)

But somehow installing apps to %appdata% feels so ... wrong.

Well, it's no different than installing an application to ~/bin. Yes, the real path is kinda messy pre-Vista, but now it's normally C:\Users\Username\Programs... Which isn't really any more wrong than [/export]/home/username/bin.

In fact, I kinda like it. The permissions are all limited, you don't even need to spend time as an admin to get it installed. Plus, the worst that needs to happen is an administrator says, "Save your documents, I'm going to wipe your profile."

Re:Adobe Reader has always been bad for this. (1)

colfer (619105) | more than 5 years ago | (#28779863)

Firefox 3.0.12 updates to 3.5, when you ask for updates. Then if you ask again, you get 3.5.1, to fix the critical security bug in JIT.

Re:Adobe Reader has always been bad for this. (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28779559)

I've heard (it may be just a rumor, can't say for certain) that Acrobat Reader was originally developed using aborted fetuses, glue and AIDS. Still I don't know if it's true or not but it could help explain why it sucks horse dick.

Re:Adobe Reader has always been bad for this. (1)

jonadab (583620) | more than 5 years ago | (#28779823)

> even back when it was called Acrobat Reader.

Clear back then, huh? What was that, a whole two years ago?

Kids. Sheesh.

Fuck you asswipes at slashdot, fuck you royally !! (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28779469)

The problem with really getting engaged in a community is getting through the clutter and noise. In a closed environment like nin.com a lot of this can be moderated away, or code can be implemented to make it more difficult for troublemakers to persist. It's tedious and feels like wasted energy doing that shit, but some people exist to ruin it for others - and they are the ones who have nothing better to do with their time. Example: on nin.com, there's 3-4 different people that each send me between 50 - 100 message per day of delusional, often threatening nonsense. We can delete them, but they just sign back up and start again. Yes, we are implementing several changes to address this, but the point is it quickly gets very old weeding through that stuff.

Rewarding incompetence (5, Informative)

mr_stark (242856) | more than 5 years ago | (#28779573)

Dont use Acrobat... There are several alternatives available all less bloated:

GPL'd PDF reader: http://blog.kowalczyk.info/software/sumatrapdf/index.html [kowalczyk.info]

Commercial: http://www.foxitsoftware.com/pdf/reader/ [foxitsoftware.com]

Re:Rewarding incompetence (5, Informative)

bheer (633842) | more than 5 years ago | (#28779655)

Unfortunately, it isn't that simple. Many of the alternatives lack key features that make it difficult for many users.

IIRC there are some kinds of PDF Forms [foxitsoftware.com] which still cause problems in Foxit Reader. Also, because Foxit doesn't have CoolType and Adobe does, PS/OpenType fonts which are not specifically hinted for the screen (and are used by many design shops) look *much* better on Adobe reader than Foxit, making it invaluable for pre-publishing previews.

Also, specifically for Foxit -- it has its own share of vulnerabilities.

Re:Rewarding incompetence (0)

Anonymous Coward | more than 5 years ago | (#28779841)

Also, specifically for Foxit -- it has its own share of vulnerabilities.

Perhaps, but its not as bloated/crappy as Adobe Reader.

Re:Rewarding incompetence (1)

Jeff DeMaagd (2015) | more than 5 years ago | (#28780037)

[quote]IIRC there are some kinds of PDF Forms which still cause problems in Foxit Reader.[/quote]

The support in the thread claim that it's been mostly fixed, and that is as of two to three months ago.

[quote]Also, because Foxit doesn't have CoolType and Adobe does, PS/OpenType fonts which are not specifically hinted for the screen (and are used by many design shops) look *much* better on Adobe reader than Foxit, making it invaluable for pre-publishing previews.[/quote]

It's a valid point for some users. But given that most people aren't in publishing (it's just one of numerous industries), it's probably not much of a selling point for most people.

I would suspect that most people wouldn't notice much of a difference if their reader was suddenly substituted.

Even if Foxit has as many or as big of vulnerabilities, its relative user base footprint is pretty small, you would have to be somehow specifically targeted for sensitive reasons.

Re:Rewarding incompetence (1)

yoris (776276) | more than 5 years ago | (#28780391)

It says a lot about the world that no other nation yet has the 1st and 2nd amendment.

Just out of curiosity, is this supposed to say something about the US or about the rest of the world? In the latter case, what exactly is the fact that the other democracies of the world did not choose to make the right to keep firearms in the house a constitutional right supposed to say about them?

Re:Rewarding incompetence (0)

Anonymous Coward | more than 5 years ago | (#28779845)

Sumatra is a piece of shit that simply crashes on many many PDFs that Okular [kde.org] , for example, handles perfectly.

Nitpick (-1, Flamebait)

iamacat (583406) | more than 5 years ago | (#28779581)

Every software has bugs, including security vulnerabilities. Actively fixing such bugs and releasing updates already gives a credit to a company, even if there is a slight delay incorporating patches into an official download. Complaining that initial download contains 9.1 vs 9.1.2 is just splitting hairs.

Re:Nitpick (2, Informative)

IBBoard (1128019) | more than 5 years ago | (#28779641)

Complaining that initial download contains 9.1 vs 9.1.2 is just splitting hairs.

That depends on the difference between 9.1 and 9.1.2. If the difference is a week or two (i.e. the bug fixes haven't been out long) then it's not unreasonable to have a delay updating the download (although it would obviously be better to update it as well rather than distribute known vulnerabilities). If the difference between them is several months or more then it's less excusable and they've had plenty of time to update it.

Re:Nitpick (1)

Opportunist (166417) | more than 5 years ago | (#28780107)

If the difference is a potentially system crippling exploit, it's not excusable. No matter how new or old. That's like saying having the Linux-kernel 2.4.11 a bit longer out for download wouldn't have been so bad either.

Re:Nitpick (1)

IBBoard (1128019) | more than 5 years ago | (#28780191)

Okay, so there are two conditions: time and criticality. Still, the fact that it is "only" 9.1.0 to 9.1.2 doesn't mean that it shouldn't be updated, but if it is a short period since the patch release and it is a minor patch then the company may have website update policies that mean the new download is pushed to the web server later than the patch.

Re:Nitpick (1)

Culture20 (968837) | more than 5 years ago | (#28780457)

That depends on the difference between 9.1 and 9.1.2. If the difference is a week or two (i.e. the bug fixes haven't been out long) then it's not unreasonable to have a delay updating the download

A week or two? Really!? An hour or two maybe. Worst case scenario: Until 8:00AM Monday if the patch was made 5:00PM Friday. Never longer.

Re:Nitpick (0)

Anonymous Coward | more than 5 years ago | (#28779719)

Actively fixing such bugs and releasing updates already gives a credit to a company, even if there is a slight delay incorporating patches into an official download.

So... how many months is no longer "a slight delay" in your books?

Downloading Adobe Bloater? (1, Insightful)

Runaway1956 (1322357) | more than 5 years ago | (#28779591)

People who are downloading Adobe deserve what they get. There are PDF readers on the net that download in 1/10th the time, use less than 1/10th of the resources, run faster, with more features, and WITHOUT the vulnerabilities. Most are free for personal use, most have features that can be unlocked by upgrading, and even the upgraded version can be had for "free" through the advertising schemes. If all a person ever needs to do is read a document published on the web, he doesn't even NEED any features.

It's been years since I installed Acrobat or Adobe reader, and I'll never install it again.

Re:Downloading Adobe Bloater? (0)

Anonymous Coward | more than 5 years ago | (#28779609)

Let me guess, you swore off women, booze, and drugs, AND anything adobe. Goodluckwiththat but we in the real world, beyond the garage, need software that does what we, the bug boys, need to do.

Re:Downloading Adobe Bloater? (0)

Anonymous Coward | more than 5 years ago | (#28780127)

Haha what a douchefag. OK "big boy", whatever you say.

Re:Downloading Adobe Bloater? (1)

mrrudge (1120279) | more than 5 years ago | (#28780131)

Note to self : Remember bug boys need Adobe Acrobat. Should come in handy when I work out what a bug boy is, maybe an entomologist ?

Re:Downloading Adobe Bloater? (0)

Anonymous Coward | more than 5 years ago | (#28779633)

I wish the same was true for the adobe crash player... :(

but the alternatives sometimes dont even work with youtube...

Re:Downloading Adobe Bloater? (2, Insightful)

Norsefire (1494323) | more than 5 years ago | (#28779653)

If all a person ever needs to do is read a document published on the web, he doesn't even NEED any features.

At least you've made the clarification. There are too many people who reckon Acrobat is bloated because they have never done anything more with a PDF than double-click the icon and read it. In the Industry I work, Acrobat is missing features that we need, which we make up by using plugins.

Re:Downloading Adobe Bloater? (1)

negge (1392513) | more than 5 years ago | (#28779999)

If Adobe Reader, the most full-featured and bloated PDF reader on the market misses some features you need, maybe you should consider using an alternative format for whatever it is you do? It's like complaining that Firefox doesn't have very good FTP support so you have to use FireFTP instead (when you infact should be using a proper FTP client).

Re:Downloading Adobe Bloater? (0)

Anonymous Coward | more than 5 years ago | (#28779661)

I think you'll find the free alternatives also have about 1/10th of the features of Adobe Reader. Of course, 9/10th of the features in Adobe Reader are stuff you don't actually want, like forms, javascript, 3D, digital rights management ...

<sarcasm>Lets all switch to Microsoft's XML Paper Specification (XPS).</sarcasm>

Re:Downloading Adobe Bloater? (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#28779715)

Can those other readers let me make adjustments to spot colors and CMYK values? Can they let me adjust the trapping of those colors? Or adjust the dot gain and head angles for the inks that will be used when the piece is printed? Do they properly show overprint? Can they adjust the crop box, media box, and artwork boxes (three separate things that can all be included in a single piece)? I could go on and on, but I think I know what your answer will be.

Re:Downloading Adobe Bloater? (0)

Anonymous Coward | more than 5 years ago | (#28779795)

Somehow I fail to see why I would need any of these features if all I wanted to do was read a document published on the web.

Re:Downloading Adobe Bloater? (1)

Sir_Lewk (967686) | more than 5 years ago | (#28779923)

and even the upgraded version can be had for "free" through the advertising schemes

Why does this sounds even more unpleasant and risky than just installing Adobe Reader?

Who the heck still uses Acrobat Reader? (1, Redundant)

blind biker (1066130) | more than 5 years ago | (#28779629)

I thought by now everyone got the point that Acrobat Reader is a bloated crashware and have switched to Foxit or other alternatives. I'm not saying Foxit is more secure (I don't really know), but I thought that the abomination that emanates from Acrobat Reader has shrank their marketshare so much that any security issues it may have, would be irrelevant.

Re:Who the heck still uses Acrobat Reader? (3, Insightful)

IBBoard (1128019) | more than 5 years ago | (#28779649)

How many websites have you seen that say "here's a PDF of a document - you'll need to download Adobe Reader [insert link] if you want to view it" and how many say "here's a PDF of a document - you'll need to download a PDF reader such as Adobe Reader [insert link], Foxit [insert link], ... if you want to view it"? Most commercial sites that distribute PDFs recommend Adobe, and if you're not a techy then you'll assume that Adobe is all you can use. Why do you think so many people used IE6 when Firefox and Opera were available?

pdfreaders.org! (1)

Karellen (104380) | more than 5 years ago | (#28779881)

"...you'll need to download a PDF reader such as Adobe Reader [insert link], Foxit [insert link], ... if you want to view it"

No, no, no!

It's "you'll need to download a PDF reader [pdfreaders.org] ".

pdfreaders.org even has free icons [pdfreaders.org] which you can use to replace the more usual Adobe-based PDF icons.

Re:Who the heck still uses Acrobat Reader? (2, Funny)

jonadab (583620) | more than 5 years ago | (#28779905)

> How many websites have you seen that say "here's a PDF of a document -
> you'll need to download Adobe Reader [insert link] if you want to view it"

If the webmaster had ever watched an end user try to use a computer, he'd Stop Doing That.

Almost universally, the end user does not understand the above paragraph. He gets as far as the link to Acrobat Reader, clicks it (even though of course his computer already has Acrobat Reader; but he doesn't know that, because he doesn't even know what it means), and expects to immediately see the content he's looking for (even though he hasn't clicked, or even noticed, the link to the actual document; generally he thinks the download link he just clicked *is* the document). If he's lucky, at this point, the web browser downloads Yet Another Copy of the Adobe installer and puts it in the default download folder (probably the desktop, unless the computer's been worked over by a competent computer geek at some point). At this point the user has absolutely no idea why the document isn't opening, so he tries again. And again. I've never EVER seen an end user's default download folder with fewer than three copies of the Adobe installer, and six or eight is more common. Eventually, depending on what kind of person the user is, he either gives up (this is the most common outcome) or seeks help from someone he thinks is a computer expert. If he's lucky, his "computer expert" actually understands enough about computers to help him, but at least half the time it's somebody just as clueless as he is (albeit more confident), and they tell him his computer has a virus, which confirms what he suspected anyhow.

Re:Who the heck still uses Acrobat Reader? (1)

IBBoard (1128019) | more than 5 years ago | (#28780165)

If the webmaster had ever watched an end user try to use a computer, he'd Stop Doing That.

That assumes that most corporate webmaster a) care about that kind of thing (which seems unlikely when Flash is involved in many sites), b) have any control over that kind of thing (which seems unlikely because Marketing have bad habits of doing things like decreeing pixel perfect designs that webmasters must follow) and c) are allowed to link to anything that isn't from a big corporation.

While I can imagine it would confuse people who don't know enough about computers, just having a link to an unknown file type could end up even worse as they sit there going "well that's a crap site - I've got the document but it won't open/looks like it is corrupt".

Perhaps I should have made that text a little different and gone for:

[insert link to document here]

If you don't already have it installed, you'll need Adobe Reader [insert link] to view the document

Re:Who the heck still uses Acrobat Reader? (1)

ZERO1ZERO (948669) | more than 5 years ago | (#28780257)

Interestingly, if you google for 'click here', guess what the first result is?

Re:Who the heck still uses Acrobat Reader? (3, Funny)

Norsefire (1494323) | more than 5 years ago | (#28779673)

Who the heck still uses Acrobat Reader?

Anyone who needs to do more with a PDF than simply read it.

Re:Who the heck still uses Acrobat Reader? (0)

Anonymous Coward | more than 5 years ago | (#28780085)

And everyone who wants to read it without crap rendering quality.

Re:Who the heck still uses Acrobat Reader? (1)

GF678 (1453005) | more than 5 years ago | (#28780023)

Who the heck still uses Acrobat Reader?

Every single computer in our corporation because it's mandated by IT?

Foxit is nice, but it's not the "industry standard". I'm not joking.

Ni6ga (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28779659)

you're 7old. It's

Evince vs. Acrobat (0, Offtopic)

Rick Richardson (87058) | more than 5 years ago | (#28779663)

evince linux: doesn't work with USPS "clik to ship" postage.
acrobat 9 linux: works with "clik to ship".

Sorry.

Re:Evince vs. Acrobat (2, Insightful)

L4t3r4lu5 (1216702) | more than 5 years ago | (#28779701)

How about the other five listed here? [wikipedia.org] I'm not running Linux, so I can't wipe your bottom for you. Maybe some research on your part would be useful?

Here, I'll save you some effort and GoogleThatForYou [lmgtfy.com]

Re:Evince vs. Acrobat (2, Insightful)

CarpetShark (865376) | more than 5 years ago | (#28779721)

Evince is pretty lacking in PDF functionality anyway. If you want to compare best of breed on each system, you should probably compare KPDF. It would still fall short of Acrobat Reader. However, I think it's silly to expect otherwise, given that Adobe set the standard AND develop the software meeting that standard in one go.

Re:Evince vs. Acrobat (1)

colfer (619105) | more than 5 years ago | (#28779839)

The USPS thing expects some feedback from the reader. It may require Javascript to be enabled in Adobe Reader, I've had mixed results otherwise. By the way, Adode Reader updates turn JS back on! At least in version 8.x.

Google docs (3, Interesting)

beadwindow (1578749) | more than 5 years ago | (#28779803)

google docs opens pdf's

Why should a 'reader' be a security issue anyway? (4, Insightful)

dtjohnson (102237) | more than 5 years ago | (#28779887)

Adobe began using javascript in their reader beginning with v7 and that has opened up this whole new world of security issues. Wouldn't it be better if the 'reader' just rendered a static file and didn't run embedded script?

Re:Why should a 'reader' be a security issue anywa (1)

Opportunist (166417) | more than 5 years ago | (#28780117)

But ... but all those nifty features, like filling out forms and such! How did we ever survive without them?

It's like saying "Why do we need Aero?" We don't. Few people do at all. But, hell, how do you plan to sell a new version if your markedroids can essentially only say "Well... it has rounded corners now"?

shhhh....don't botch the agency subsidies (1)

harvey the nerd (582806) | more than 5 years ago | (#28779913)

If they make a really secure program, who is going to replace the FSA (Russia) and NSA (USA) subsidy payments?

Running Code in a PDF Reader! (1)

Prototerm (762512) | more than 5 years ago | (#28780235)

In my opinion, the purpose of a PDF reader is to ... wait for it ... *read* a PDF file, not run Java or any other sort of scripting. If a publisher wants to create an interactive program, *there are programming languages for that!* If Acrobat Reader was made to specifically prevent a document from doing anything except *being passively read*, we wouldn't have half these problems.

The Swiss Army Knife approach only works for Switzerland's military elite, not software companies!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?