Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Adobe Launches Sandboxed Reader X

Soulskill posted more than 3 years ago | from the barn-doors-and-horses dept.

Security 201

CWmike writes "Adobe on Wednesday released Reader X, the next version of its popular software that includes a 'sandbox' designed to protect users from PDF attacks. Protected Mode is Adobe's response to experts' demands that the company beef up the security of Reader, which is aggressively targeted by attackers. Calling the sandbox a 'new advancement' in protective measures, Brad Arkin, Adobe's director of security and privacy, admitted it will not stymie every attack. But he argued it will help. 'Even if exploitable security vulnerabilities are found by an attacker, Adobe Reader Protected Mode will help prevent the attacker from writing files or installing malware on potential victims' computers,' Arkin said in a post to a company blog late on Thursday."

cancel ×

201 comments

Great Idea: Will it work? (1)

toygeek (473120) | more than 3 years ago | (#34281712)

I love the idea of it being sandboxed. I downloaded and installed Reader X yesterday, but I haven't had a virus in a long time so we'll see how it goes. However I've got a customer who gets the virus of the week almost on schedule... I'll have him try it out.

Re:Great Idea: Will it work? (4, Insightful)

Pieroxy (222434) | more than 3 years ago | (#34281810)

This is pathetic. This program is a "Reader", just that! How hard can it be to fix all of those buffer overflows? Is the source code so horrendously broken that only a sandbox can fix it? What's next? Sandboxing vi ? ls? /dev/null?

Re:Great Idea: Will it work? (5, Insightful)

humphrm (18130) | more than 3 years ago | (#34281856)

Yep, true dat. I remember when Adobe Reader first came out, it was the cat's ass - lightweight, did it's job, nothing else. In fact at one time PDFs were used to avoid those infamous MS-Word viruses that spread in the '90's. Now it's suffering from the same feature creep that affects every other (commercial) software vendor - add features or else you don't think you're "adding value". And those new features carry with them all manner of attack vectors and vulnerabilities.

Which is why I don't think vi will suffer the same fate. I'm not an avid follower of it's development, I just use it, but it seems to me that they're keeping it pretty much the way it was intended to be.

Re:Great Idea: Will it work? (1)

micheas (231635) | more than 3 years ago | (#34282504)

Yep, true dat. I remember when Adobe Reader first came out, it was the cat's ass - lightweight, did it's job, nothing else. In fact at one time PDFs were used to avoid those infamous MS-Word viruses that spread in the '90's. Now it's suffering from the same feature creep that affects every other (commercial) software vendor - add features or else you don't think you're "adding value". And those new features carry with them all manner of attack vectors and vulnerabilities.

Which is why I don't think vi will suffer the same fate. I'm not an avid follower of it's development, I just use it, but it seems to me that they're keeping it pretty much the way it was intended to be.

Although vim keeps adding new features, and nvi has had a security vulnerability as recently as 2008.

Re:Great Idea: Will it work? (0, Flamebait)

Anonymous Coward | more than 3 years ago | (#34283140)

You've got to be kidding, adobe has NEVER made a well-designed product that I've seen.

They had an old text processor for Unix--that may have been one of their better products ever, but it had an upside-down menu system that drove me crazy because the menus were all designed to "Tear off" so the most often used functionality was at the bottom of each menu.

ATM--adobe type manager--one of the first apps that would widely destabilize windows (this was around the time of windows 3). It was horrific and unnecessary, but some apps required it for some god-awful reason.

Adobe Reader plugin--One of the only two apps that has always, throughout it's lifecycle, destabilized a browser. Even now if you click on a link for a big, slow PDF, the reader plugin will more likely than not hang your browser. This is the only app that I've had crash ALL of chrome, not just it's window. (The other major piece of FAIL in the browser plugin arena is Flash--I was a little perturbed when Flash started to annoy me more than Adobe because it was defocussing my hatred, luckily Adobe solved that by buying Flash)

They also have a crappy overly large, overly expensive and inflexible web development environment.

Nothing but hate, all the way down.

Re:Great Idea: Will it work? (3, Insightful)

zakeria (1031430) | more than 3 years ago | (#34282132)

its not that the Reader has buffer overflows underflows etc, it's the fact that the Reader has so many built in functions such as embedded flash movies and these have their own flaws.. I think adobe should trim or design a lightweight Reader that has less of these features making it more secure!

Re:Great Idea: Will it work? (0)

Anonymous Coward | more than 3 years ago | (#34282900)

Doing this would be an admission that Reader is insecure. Adobe would never go this route.

Re:Great Idea: Will it work? (3, Insightful)

Pieroxy (222434) | more than 3 years ago | (#34283060)

Doing this would be an admission that Reader is insecure. Adobe would never go this route.

And sandboxing the damn thing isn't an admission of crappiness?

Re:Great Idea: Will it work? (0)

Anonymous Coward | more than 3 years ago | (#34282210)

Obviously Reader isn't just exploited by buffer overflows.

Re:Great Idea: Will it work? (1)

gtall (79522) | more than 3 years ago | (#34282470)

It isn't just the buffer overflows and it isn't just a reader. It now as active content which means it is essentially a vehicle for mobile code...even if the mobile code is somewhat restricted.

Re:Great Idea: Will it work? (3, Insightful)

blueg3 (192743) | more than 3 years ago | (#34282812)

Ever since von Neumann came up with this crazy idea of program and data being the same, guaranteeing that something that just manipulates data doesn't also execute code has been nontrivial.

Re:Great Idea: Will it work? (1)

TheLink (130905) | more than 3 years ago | (#34282946)

There's also the "unhygienic" habit of pushing data onto a stack that is also used to tell the CPU what address to run from when it does a "return".

Re:Great Idea: Will it work? (2, Interesting)

TheRaven64 (641858) | more than 3 years ago | (#34282848)

Sandboxing vi ?

Is vi a link to vim on your machine? If so, it might be worth sandboxing; there has been at least one security hole in vim in the last year or so that has caused a buffer overflow that is exploitable by maliciously crafted text files.

Re:Great Idea: Will it work? (0)

Anonymous Coward | more than 3 years ago | (#34283282)

Openssh, has to run in a kind of sandbox. Anything written in c/c++ and more complicated than that should be sandboxed too. Java (applets) and javascript applications are always executed in a kind of sandbox anyway.

Re:Great Idea: Will it work? (1)

gad_zuki! (70830) | more than 3 years ago | (#34282008)

Did you check his Java? Java is the most exploited app right now. If he doesn't need it you should just uninstall it. If he needs it for a local app then disable the browser plugin and just make sure he keeps up with the updates. By default it sets to check monthly for updates. You should change that to weekly or daily.

Re:Great Idea: Will it work? (2, Funny)

CarpetShark (865376) | more than 3 years ago | (#34282104)

I downloaded and installed Reader X yesterday, but I haven't had a virus in a long time

Well, you do now ;)

Re:Great Idea: Will it work? (1)

hedwards (940851) | more than 3 years ago | (#34282476)

You can just use Sandboxie [sandboxie.com] it'll do that for pretty much any program you wish.

Not sure I like this idea (2, Funny)

Anonymous Coward | more than 3 years ago | (#34281720)

This is a terrible idea. The neighborhood cats are constantly shitting in my sandbox.

Re:Not sure I like this idea (5, Funny)

mcgrew (92797) | more than 3 years ago | (#34282116)

The sandbox is to prevent the cats from shitting in your laundry basket.

Re:Not sure I like this idea (1)

datapharmer (1099455) | more than 3 years ago | (#34282390)

whew. glad I'm not the only one with that problem.

Re:Not sure I like this idea (1)

MozeeToby (1163751) | more than 3 years ago | (#34283082)

Wow, an analogy that is not only comically entertaining, but also shockingly accurate. I tip my hat to you good sir. *tips imaginary hat*

Does this one work with Chrome? (2, Interesting)

BadAnalogyGuy (945258) | more than 3 years ago | (#34281722)

Acrobat Reader does this stupid thing where it opens the Reader application to show me an error message then shuts that down and opens the document in the browser. During this, any other Acrobat Reader instances opened will be automatically closed and it's a 50/50 shot whether the current document actually shows up properly in the browser.

Re:Does this one work with Chrome? (2, Interesting)

revlayle (964221) | more than 3 years ago | (#34282114)

Might be moot, ver 8 (which is in beta) series of Chrome has a built-in PDF reader - not sure how complete or how secure it is however. That being said, Adobe Reader runs in ver 7 (current stable version) series just fine.

The OS should provide the option to sandbox too (5, Insightful)

the_humeister (922869) | more than 3 years ago | (#34281746)

Any program I run should be have the option of being sandboxed by the the OS if I so choose.

Re:The OS should provide the option to sandbox too (1)

Pieroxy (222434) | more than 3 years ago | (#34281852)

Any program I run should be have the option of being sandboxed by the the OS if I so choose.

I guess you mean that every OS should propose that option. I mean, every modern OS, not this unix clone that is based on technologies from the 70s right?

Re:The OS should provide the option to sandbox too (1)

LordLimecat (1103839) | more than 3 years ago | (#34282044)

Wait, are you talking about Linux, Windows, or Mac? Pretty sure theyre all "unix clones" in some sense of the word, and pretty sure theyre all based on SOME technologies from the 70s...

Re:The OS should provide the option to sandbox too (1)

Pieroxy (222434) | more than 3 years ago | (#34282134)

But only one of them is a unix clone.

Re:The OS should provide the option to sandbox too (0, Troll)

mcgrew (92797) | more than 3 years ago | (#34282150)

Mac an Linux are Unix clones. Why do you think all the viruses are for Windows? "Based on '70s technologies" means it's a mature technology that has kept up with the times. It's a GOOD thing.

If they were to rewrite Windows and base it on this mature tech, Windows would be a lot more stable and secure.

Re:The OS should provide the option to sandbox too (1)

TangoCharlie (113383) | more than 3 years ago | (#34282284)

I thought that WindowsNT was heavily influenced by the VMS architecture?!

Re:The OS should provide the option to sandbox too (3, Interesting)

mevets (322601) | more than 3 years ago | (#34283070)

Windows New Technology => WNT

(V+1)(M+1)(S+1) == WNT

Cutler didn't even pretend it was new.

Re:The OS should provide the option to sandbox too (1)

TheSpoom (715771) | more than 3 years ago | (#34282370)

If they were to rewrite Windows and base it on this mature tech, Windows would be a lot more stable and secure.

They did this. It was, for a while. It was called Windows NT.

Might be time for another rewrite, honestly. *shrugs and continues running Linux*

Re:The OS should provide the option to sandbox too (2, Insightful)

hairyfeet (841228) | more than 3 years ago | (#34282560)

I ahhhh hate to break the news to ya McGrew, but actually repairing Windows PCs for a living I can tell you the vast majority of Windows infections post XP SP2 is PEBKAC related. I have sat there dumbfounded after telling a user that a password protected zip file was an infection and watched them happily do EXACTLY what the email told them to and infect their machine, I have dealt with grown men that would run ANY .exe if it had the word "porn" in the title, and watched grown women click on ANY link sent to them via FB.

I can tell you without a shadow of a doubt that if you replaced all the Windows machines with Linux tomorrow by next week those users inboxes would be full of "free_porn_codec.sh" or "Happy_puppy_screensaver.sh" with instructions that they WOULD follow to run them. So unless you are willing to talk ALL rights away from home users and give them a Steve Jobs style walled garden OS design wouldn't do squat.

As for TFA, how does this compare to the Foxit "protected mode" where it shuts down all the executable code and just gives you the PDF? And for those that want to sandbox ANY app I would suggest Comodo Internet Security [comodo.com] or Comodo AV (same link) which are both free and both by default sandbox ALL apps, and can be easily set to run any app sanboxed full time if you like. It does help with the PEBKAC users if for no other reason than they can't figure out how to turn the sandbox off.

Re:The OS should provide the option to sandbox too (1)

mcgrew (92797) | more than 3 years ago | (#34283100)

can tell you the vast majority of Windows infections post XP SP2 is PEBKAC related

I would imagine that it was pretty much the same as before XP as well. Trojans are a lot easier to write than viruses, and easier to impliment on any OS.

That said, had your customers been running Linux, they would have a hard time infecting their machines with malware. Installing an app from your distro's repository is as easy as installing a Windows progam, but installing some random piece of code off the internet isn't. Your virus-infected customers shurely woould have an incredibly hard time getting that trojan installed, if they could do it at all, even with instructions -- and the instructions for installing a non-repository app differ at least slightly from distro to distro.

I haven't used FoxIt, I don't remember the name of the document reader that comes with kubuntu, but it's neither Adobe or Foxit.

Re:The OS should provide the option to sandbox too (1)

vistapwns (1103935) | more than 3 years ago | (#34283080)

All the viruses are for Windows, for the same reason all the games are for Windows, not cause they won't run on unix but because Windows is 90% of the market. Some games get rewritten for linux, because developers are saps and feel sorry for linux users, virus writers have no such pity, so it looks like a windows specific problem, when it is not. World famous hackers like Charlie Miller, who is a mac user btw, has said that 3 year old Vista is more secure than brand new Snow Leopard. So please put your cup of kool-aid down and verify what your unix friends tell you, because most of it is propaganda with the aim of saying anything at all to increase unix's pathetic market share.

Re:The OS should provide the option to sandbox too (1)

mevets (322601) | more than 3 years ago | (#34283098)

Mac is UNIX
Linux is unix-ish
Windows is vms-ish

They are all based on old technologies.

VMS was heavily based on shared memory; thus was Windows, and that shared kernel data has been the vector of so much hurt.

Re:The OS should provide the option to sandbox too (1)

rrossman2 (844318) | more than 3 years ago | (#34282248)

Ah yes... I have yet to get hit with a virus or worm on my Minix box!

Re:The OS should provide the option to sandbox too (2, Informative)

humphrm (18130) | more than 3 years ago | (#34281888)

There are security / firewall products out there for Windows that do just that, sandbox applications. I won't shill any, but there are free (as in beer) products too.

I only mention Windows because it's trivially easy to sandbox apps in just about any other OS.

Re:The OS should provide the option to sandbox too (1)

ciderbrew (1860166) | more than 3 years ago | (#34282080)

Can you sand box games and their DRM? If I could uninstall the DRM at will and not have it poison and hide around the system then maybe I could live with it a bit more.

Re:The OS should provide the option to sandbox too (1)

humphrm (18130) | more than 3 years ago | (#34282186)

I've never tried games, although I have a steam account so I could try. Most of my games are from GOG. ;-) I always sandbox Adobe Reader and it works pretty well.

Re:The OS should provide the option to sandbox too (1)

Nimey (114278) | more than 3 years ago | (#34282640)

Sandboxie is the first one I can think of. Free as in beer, but it'll delay launch for a few seconds once so many days have passed unless you buy the registered version.

Re:The OS should provide the option to sandbox too (1, Insightful)

Anonymous Coward | more than 3 years ago | (#34281912)

Any program I run should be have the option of being sandboxed by the the OS if I so choose.

This.

It shocks me that this is *still* not a common OS security feature. Some do it by default, but it should at least be an option all the time.

For Windows & *NIX variants? You can... (1, Informative)

Anonymous Coward | more than 3 years ago | (#34281930)

For Windows, you can use a FREE program called "SandBoxie" (and it's NOT just for webbrowsers, it can sandbox any Ring3/RPL3/UserMode app) http://www.sandboxie.com/index.php?DownloadSandboxie [sandboxie.com] , and on *NIX's you can use chroot (of course) & create a chroot jail.

APK

Re:The OS should provide the option to sandbox too (1)

Spad (470073) | more than 3 years ago | (#34281940)

Vista/Win 7 does allow you programs to be executed with Low Integrity Level so that it is essentially sandboxed. However, apps have to be written to take advantage of this functionality otherwise there's a good chance they'll break if run with a Low Integrity Level. Some specific PDF Reader-related info here [didierstevens.com]

Re:The OS should provide the option to sandbox too (1)

hedwards (940851) | more than 3 years ago | (#34282520)

That's not the same thing. You should be able to run the programs both at low integrity level and in a sandbox. The point of the sandbox is to keep the program segregated from the rest of the programs in case somebody manages to find an exploit to elevate privileges. They'd have root, but they'd have root in the sandbox and would have to then break out of the sandbox to do much.

Re:The OS should provide the option to sandbox too (1)

icebraining (1313345) | more than 3 years ago | (#34282090)

AppArmor ("Application Armor") is a security module for the Linux kernel, released under the GNU General Public License. From 2005 through September 2007, AppArmor was maintained by Novell. AppArmor allows the system administrator to associate with each program a security profile that restricts the capabilities of that program. It supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). It was included as of the 2.6.36 version of the mainline Linux kernel.

In addition to manually specifying profiles, AppArmor includes a learning mode, in which violations of the profile are logged, but not prevented. This log can then be turned into a profile, based on the program's typical behavior.

THe trouble with sandboxes... (2, Interesting)

goombah99 (560566) | more than 3 years ago | (#34282112)

Any program I run should be have the option of being sandboxed by the the OS if I so choose.

I totally agree. The OS should provide hooks to applications to spawn sandboxes. I know that Apple already has this in OSX since I use it in Xgrid to sandbox jobs. They have not documented the configuration yet but it's easy enough to guess. It works well. It would be cool if they could take it a step further to the thread level so you could share memory but imprison the resources a thread can use.

I have found the tricky part of this is that many things you think you can turn off are not so easy. For example, many applications need to access preference files so they need read write to the preferences directory. Your code may not be actually writing to that directory but calling a persistence library function for dictionaries and it may require you to allow access to the whole directory not just a file.

  In other cases your app may call other things that expect certain access. For example, when you run the command "ls -l" in a shell, it accesses /etc/passwd in order to put names to the process UIDs. When you ask for the time or date, various localization files in /etc are consulted. When you call open/save dialogs some of these appear to try to inventory the mounted drives in /Volumes (which you can see because the drives spin up).

It's hard to anticipate these things because libraries and APIs that you use have legacy expectations of their privileges. In order for the code to grant that access to the API, the code itself has to have it too. The only work-around for that is to go back to the evil days of Set UID root scripts (like the command "ps" still has).

Re:THe trouble with sandboxes... (3, Insightful)

datapharmer (1099455) | more than 3 years ago | (#34282454)

It seems that the answer that that problem would be to a) allow read write on a file-by-file basis based on a signed "declaration" by the program that specifies what files the program needs, or b) fool the program by pulling copies of the originals into the sandbox so it thinks it is writing to them and runs happily while not interfering with the rest of the OS (isn't that the entire point of a sandbox?)

Performance (1)

jawtheshark (198669) | more than 3 years ago | (#34281748)

Adobe Reader is already a performance slouch. This probably won't help a bit. Too bad my tax declaration only works with their version. Well, as far as I could see at least.

Reader aggressively targeted by attackers? (0)

Anonymous Coward | more than 3 years ago | (#34281764)

"Protected Mode is Adobe's response to experts' demands that the company beef up the security of Reader, which is aggressively targeted by attackers

Shouldn't that be beef up the security of Reader on Windows, which is aggressively targeted by attackers ..

.pdf safety rules (1)

digitaldc (879047) | more than 3 years ago | (#34281776)

The ONLY way I can feel safe is to run Adobe Reader Protected Mode in Windows Safe Mode. Then, and only then, I will be safe.

Re:.pdf safety rules (1)

hedwards (940851) | more than 3 years ago | (#34282540)

Adobe reader is kind of a challenge. With Java that's easy. If I really want to be safe, I go down to the local Starbucks with a thermometer and measure the temperature before I move it. I have yet to get burned by hot coffee when doing it like that.

They've used up all my trust already. (1)

Anonymous Coward | more than 3 years ago | (#34281780)

Come on, Adobe. This feature was programmed by Marketing Dept, I'd guess.

Adobe Reader, now even slower! (2, Informative)

RingDev (879105) | more than 3 years ago | (#34281784)

I mean really, Adobe Reader has become one of the worst PDF readers available. It's slow. It hangs the browser. It's constantly getting attacked. And it's a total pain to keep it updated.

Just get Foxit and be done with it. It's light weight, doesn't hang browsers while opening large PDFs, has a SIGNIFICANTLY better search interface, and so far hasn't been subject to any major attacks/flaws.

-Rick

Re:Adobe Reader, now even slower! (4, Informative)

Spad (470073) | more than 3 years ago | (#34282002)

and so far hasn't been subject to any major attacks/flaws.

Sadly not true; it was vulnerable to the /launch "vulnerability/feature" as well as a couple [secunia.com] of others [secunia.com] . Even Sumatra has had one [secunia.com] .

Re:Adobe Reader, now even slower! (1)

JonySuede (1908576) | more than 3 years ago | (#34282006)

if you use foxit, install the gdi+ module. It change the rendering so it's snappy and fast.

Re:Adobe Reader, now even slower! (1)

LordLimecat (1103839) | more than 3 years ago | (#34282066)

It does have a major flaw-- its insistence on installing that awful toolbar unless you choose "custom mode"-- regardless of whether or not you uncheck the "please install toolbar" box. STILL not fixed after what, 3 versions? Starting to think they have some kind of motivation for forcing this thing on people.

Re:Adobe Reader, now even slower! (1)

revlayle (964221) | more than 3 years ago | (#34282136)

This is why I abandoned it. Also, it seemed it was just was getting sloppy with some of their last releases.

Re:Adobe Reader, now even slower! (1)

Anonymous Coward | more than 3 years ago | (#34282168)

Agreed - Foxit Reader installation sucks because of this. I regret every time I forget to use custom mode to avoid that stupid Ask toolbar being installed even when I have unchecked the option. If they can't get get this right then what else may there be wrong with the app?

Re:Adobe Reader, now even slower! (1)

Lumbre (1822486) | more than 3 years ago | (#34282230)

I probably use custom install, though it probably works on quick install too:

Instead of blindly accepting the license agreement, click the next/accept button. The checkbox says something like "I accept the above agreement and would like to install the Ask Toolbar". Notice the "and". You do not need to check any of these checkboxes to continue installation.

Out of all the computers I've built, I've only had the Ask toolbar installed once, and that might've been when they truly forced you to install it, or I might've checked that box like everyone else.

Re:Adobe Reader, now even slower! (3, Informative)

hairyfeet (841228) | more than 3 years ago | (#34282672)

There is actually an EASY way to get around this, as well as for apps like CCleaner that try to add crap. Just go to Ninite [ninite.com] and check what you want installed. They have over 90 of the most common apps and you can even suggest more to add at the bottom of the page. They have made it a total unattended install with NO TOOLBARS on ANY app they have there, be it Foxit, CCleaner, Java, etc. It also makes setting up a new PC with all the basics as simple as "check box, run installer, done" so enjoy!

Re:Adobe Reader, now even slower! (4, Insightful)

Menacer (222952) | more than 3 years ago | (#34282068)

Just get Foxit and be done with it. It's light weight, doesn't hang browsers while opening large PDFs, has a SIGNIFICANTLY better search interface, and so far hasn't been subject to any major attacks/flaws.

You're incorrect that Foxit reader has not been subject to attacks or flaws. This article from last year [zdnet.com] , for instance, describes in-the-wild attacks of Foxit. A Google search for "foxit reader buffer overflow" brings up a number of known (though patched by now) exploits.

Foxit reader, like any other piece of software, is bound to have errors. Use it because you like the interface, or use it because it's less likely to be exploited due to its relative unpopularity. Don't delude yourself into thinking it's completely secure. That's the same fallacious argument that some OSX and Linux users make when saying that their operating systems are immune from viruses or worms. They may be more secure when compared to Windows, but there's nothing in their underlying architecture that prevents them from being exploited with enough effort.

Re:Adobe Reader, now even slower! (1)

Nimey (114278) | more than 3 years ago | (#34282654)

On the gripping hand, Foxit is lighter, meaning fewer lines of code, which means in theory that it's easier to maintain and there should be overall fewer bugs.

Not going to make it unbreakable, but overall tighter.

Re:Adobe Reader, now even slower! (2, Informative)

yuhong (1378501) | more than 3 years ago | (#34283104)

Or use it because it is patched faster.

Re:Adobe Reader, now even slower! (3, Informative)

EvilMonkeySlayer (826044) | more than 3 years ago | (#34282118)

Foxit is fine for home assuming you remember to correctly untick all the adware options. But in a work environment (I work at a printers) on average i'd say Foxit incorrectly renders PDFs about 5% of the time, leading to support calls whereas Adobe Readers incorrect rendering is pretty non-existent. (I actually tried switching work over to Foxit a while ago, nothing but support hassle from incorrectly rendered PDFs)

I'm not defending Adobe here because I think their reader is a bloated pos, but if you're going to recommend a third party PDF viewer then Sumatra is the best, it's light weight, loads damn near instantly and doesn't include a JS engine side stepping a lot of security issues.

Also, on the major attacks/flaws thing. Actually Foxit has had some seriously bad security issues, you need only google for "foxit reader security holes" or look on explot-db [exploit-db.com] to see them.

Re:Adobe Reader, now even slower! (1)

b0bby (201198) | more than 3 years ago | (#34282170)

But in a work environment (I work at a printers) on average i'd say Foxit incorrectly renders PDFs about 5% of the time, leading to support calls whereas Adobe Readers incorrect rendering is pretty non-existent. (I actually tried switching work over to Foxit a while ago, nothing but support hassle from incorrectly rendered PDFs)
 

Yeah, I hate Acrobat & Reader too, but my trials with Foxit in the work environment were even worse. Maybe it's better now, but a couple of years ago it didn't cut it.

Re:Adobe Reader, now even slower! (0)

Anonymous Coward | more than 3 years ago | (#34283260)

I'd recommend PDF-Xchange Viewer. http://www.tracker-software.com/product/pdf-xchange-viewer [tracker-software.com]
Not only is it free, lightweight and fast, it allows you to draw, add text etc on an existing PDF also. I'd recommend you try it out. Also remember to turn off javascript support also in order to avoid potential security risks. I have been using it for two years without any problems.

Disclaimer: I have no affiliation with tracker software and I have even no idea what kind of other products they offer.

Re:Adobe Reader, now even slower! (1)

gander666 (723553) | more than 3 years ago | (#34282288)

Sadly, I have Acrobat Pro, and it is just about as bad too. I suspect I will not spend the $$$ to upgrade to Acrobat X this go around. It used to be great, then bloat, and collaboration ware seemed to appear, and its actual value has plummeted.

I guess I shouldn't be surprised.

Re:Adobe Reader, now even slower! (1)

dorinmouss (1925306) | more than 3 years ago | (#34282904)

agree, adobe reader is really very slow :( thanks for Foxit, surely will try it

Re:Adobe Reader, now even slower! (1)

suv4x4 (956391) | more than 3 years ago | (#34283236)

Adobe Reader, now even slower!

Really? How did you find out. Did you install it?

I did. Here is what I found:

It seems significantly snappier than Reader 9, except for the very first startup after install, where it copies some first use files and pops up a license agreement.

It starts instantly every time, but it has added "Adobe Reader SpeedLauncher" to my autorun items. I didn't notice slower Windows boot or noticable RAM loss due to it, however.

The UI has been simplified, it looks decent, and the after-install base is 111MB, from 140MB for ver.9. The latter may be due to accumulated updates over time, but it shows the new version is definitely not larger.

If you want to recommend FoxIt, you're welcome to, I use it myself on some machines, it's a decent PDF viewer.

But don't spread your ill-informed "I mean really" FUD about Adobe Reader as a means of achieving it.

Air taggs along. (1)

NinePenny (856053) | more than 3 years ago | (#34281804)

Great! Now, where can I get the non Air installing version? All I want is Reader, not extra stuff that is vulnerable as well.

Re:Air taggs along. (1)

Voxxel (147404) | more than 3 years ago | (#34281954)

From Adobe's FTP site. All neatly organized by platform and version.

ftp://ftp.adobe.com/pub/adobe/reader/

Re:Air taggs along. (2, Interesting)

rrossman2 (844318) | more than 3 years ago | (#34282320)

yes, and the 3rd directory down in this link sums it up pretty well

ftp://ftp.adobe.com/pub/adobe/acrobat/ [adobe.com]

Index of /pub/adobe/acrobat/
Name Size Date Modified
[parent directory]
all/ 8/26/08 1:00:00 AM
js/ 1/25/07 12:00:00 AM
junk1/ 2/12/04 12:00:00 AM
mac/ 3/10/09 1:00:00 AM
misc/ 5/31/01 1:00:00 AM
unix/ 1/20/00 12:00:00 AM
win/ 8/6/08 1:00:00 AM

1 in 5 Americans mentall Ill (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34281834)

http://www.cnbc.com/id/40257359 [cnbc.com]

Yeah, they're called "Progressives," and their idea of progress is to concentrate the world's wealth and power into the hands of a very few privileged elites and condemn the rest of us to serfdom.

er, wat? (3, Informative)

Entropius (188861) | more than 3 years ago | (#34281844)

Evince works just fine here!

Widely used != Popular (1, Insightful)

Anonymous Coward | more than 3 years ago | (#34281846)

It's been asked time and time again. How can it be so slow? Even the installer is exceptionally slow.Throw it out and use a normal installer already.

FTP Links (4, Informative)

Anonymous Coward | more than 3 years ago | (#34281862)

ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/10.0.0/ [adobe.com]

A few language options available, and EXE or MSI format.

soon (3, Funny)

w00tz (1943770) | more than 3 years ago | (#34281904)

soon to come: Virtualized Adobe Reader which runs in it's own kernel space, with GUI, multiuser and multitasking support!

Re:soon (4, Funny)

SLot (82781) | more than 3 years ago | (#34282184)

Adobe emacs?

sudo -u lamer /usr/local/Adobe/bin/acroread (1)

bl8n8r (649187) | more than 3 years ago | (#34281990)

Run acrobat as another user using sudo.  This will contain future exploits to "lamer's" home directory instead of relying on Adobe to protect you.   I fully expect Adobe's sandbox implementation to be as dismal as their security track-record.

Re:sudo -u lamer /usr/local/Adobe/bin/acroread (1)

icebraining (1313345) | more than 3 years ago | (#34282122)

Why run it at all? There are some nice PDF readers for Unix(-like) systems.

Re:sudo -u lamer /usr/local/Adobe/bin/acroread (1)

Herve5 (879674) | more than 3 years ago | (#34282314)

Will this allow you to copy-paste bits from the acro doct to your session?

Re:sudo -u lamer /usr/local/Adobe/bin/acroread (1)

Abcd1234 (188840) | more than 3 years ago | (#34282738)

Eh, then all you need is a local privilege exploit and you're hosed. And there's no shortage of those on Linux, that's for sure.

Re:sudo -u lamer /usr/local/Adobe/bin/acroread (1)

0123456 (636235) | more than 3 years ago | (#34283332)

Eh, then all you need is a local privilege exploit and you're hosed. And there's no shortage of those on Linux, that's for sure.

No, you need:

1. A hole in the PDF reader that can be exploited.
2. Simultaneously, a local privilege exploit.
3. An actual exploitable file which can exploit that on your particular brand of Linux.
4. Not to be running an Appamor or SELinux configuration which prevents Adobe software from doing anything bad.

#1 is common, #2 is rare and usually my machines have installed patches for me before I even hear about the exploit, #3 is unlikely and #4 should block many exploits before they happen (some exploits have been able to disable Apparmor and SELinux).

Alternatives (2, Interesting)

EvilMonkeySlayer (826044) | more than 3 years ago | (#34282026)

Whilst an improvement I'll take a good bet it's still a memory and processor hog. I'd advise people to use Foxit but honestly these days it isn't much better and includes adware.

I personally use Sumatra at home, at work (I work at a print company so we receive lots of PDFs) we use Adobe Reader but I've made sure to disable JS by default in it. It's amazing just how many attacks disabling JS stops. The really impressive thing is that of the massive amount of PDFs work receives we very rarely have one that requires JS. The unfortunate reality of PDFs though is that Adobes Reader is the best renderer, whilst say with Sumatra or Foxit may get 5% rendered incorrectly that's a lot of needless support calls and hassle.

Plugins.... (2, Interesting)

IronWilliamCash (1078065) | more than 3 years ago | (#34282048)

Wow way to screw over plugin users. Instead of fixing the bugs in their software they just block out a whole lot of stuff.... I work for a software company that uses a plugin to connect to the reader and have real time bookmark following between the reader and our software. With this new "enhancement" our link to the reader is completely broken. We either have to tell our clients to disable the protected mode and go back to the same broken reader or our clients can stop using our features... Thank's Adobe

Re:Plugins.... (1)

thewils (463314) | more than 3 years ago | (#34283256)

Without a specific agreement between your company and Adobe you can't really complain too much if they switch things around on you. Not really Adobe's fault that they break your plugin.

You can't fight security with legislation (0)

Anonymous Coward | more than 3 years ago | (#34282124)

A simpler solution is to keep your executables and data separate and don't allow write access to the executables - simples ;)

Why not just.... (1)

Lumpy (12016) | more than 3 years ago | (#34282130)

Debloat it?

Honestly, I use an alternative pdf reader that will not play Mpeg4, launch my CAd program, etc.. and it works perfectly.

Adobe; cut out all the useless crap and make the thing once again RENDER A PDF FILE AND ONLY A PDF FILE.

I will not use Acrobat Reader, it's slow, bloated and because of the really stupid design of allowing it to launch an external app to render encoded data, it's a major security risk.

Sandbox secure (1)

Anonymous Coward | more than 3 years ago | (#34282542)

Sandbox isn't instant security. A sandbox is just another layer on the already existing layers of security. We see how much that has helped.

Adbode pdf browser plugin (2, Funny)

ZERO1ZERO (948669) | more than 3 years ago | (#34282558)

Doesn't anybody else find this to to be one of the most annoying design decisions ever made?

I absolutely hate it when the PDF loads into the browser rather than the PDF software. All your menus mess up, you can't fully use the PDF software, you can't fully use your browser, the PDF software hogs your browser up.

I blame Internet Explorer.

Re:Adbode pdf browser plugin (2, Informative)

Anonymous Coward | more than 3 years ago | (#34283170)

What does it have to do with Internet Explorer? It was Mozilla that came up with the browser plug-in concept and introduced NPAPI with Netscape 2.0 specifically to allow this. That same plug-in API is still used in Firefox, Safari, Chrome and Opera. That predates the integration of ActiveX (or NPAPI) in Internet Explorer.

PDF and Reader "lite" (0)

Anonymous Coward | more than 3 years ago | (#34282762)

I wish Adobe would spec out a "light" version of the PDF format and create a reader that conforms to it? Reader has gotten so big because of features that a lot of people don't really care about anyway.

Is "a little better" really better? (0)

Anonymous Coward | more than 3 years ago | (#34282860)

Brad Arkin, Adobe's director of security and privacy, admitted it will not stymie every attack. But he argued it will help.

Restating this in more practical terms: locking some of your doors will not stymie every thief. But it will help!

Sorry, I'm just not buying it.

Fortunately, the slow download of Adobe Reader (4, Interesting)

thewils (463314) | more than 3 years ago | (#34282906)

Gives you ample time to uninstall the McAfee Security Scan Plus that gets installed without your permission.

default handler (1)

yakumo.unr (833476) | more than 3 years ago | (#34283154)

Not only does the make 'select default PDF handler' option bizarrely trigger an msi installer to run which is frankly a mind boggling way to get it to work if you ask me...

it doesn't actually work! it's not replacing the (default) registry string foxit and other PDF readers set!

Other than that pain, it's the first version of adobe reader I've decided to use since viable alternatives were available, as with any luck this new sandboxing should actually be worth while.

evince (1)

craftycoder (1851452) | more than 3 years ago | (#34283278)

I just wish evince was faster so I didn't have to keep both of them on my computer. I use evince except when I have to look at really big pdfs, then I have to use Reader.

OS Limited Rights (1)

ProfessionalCookie (673314) | more than 3 years ago | (#34283318)

I think it makes sense to have the OS centrally manage application rights. All of them.
  • Execution
  • Granular Network Access
  • FS Read/Write (like limit to directory or file)
  • Mutability/Updates
  • Hardware/Driver Access
  • Execute other programs
  • etc etc etc...

It just seems like kind of a no-brainer. Why does my browser need anything more than read/write on the cache folder and write for Downloads? Why shouldn't acrobat not be able to execute other programs by default (handled by the OS). Why does a game need access to anything but it's saved games folder? I understand that most of our problems are from users but it seems like a sane set of default policies could make things a lot easier to manage :)

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...