back to article It's official: Adobe Reader is world's most-exploited app

Adobe's ubiquitous Reader application has replaced Microsoft Word as the program that's most often targeted in malware campaigns, according to figures compiled by F-Secure. Files based on Reader were exploited in almost 49 per cent of the targeted attacks of 2009, compared with about 39 per cent that took aim at Microsoft Word …

COMMENTS

This topic is closed for new posts.
  1. Danington the Third
    Grenade

    Adobe applications....

    ... have vulnerabilities in them? Well bugger me rigid.

    Yet more proof this abomination of a company needs to give their design IPs to a competent group of developers and just erase themselves from the face of the planet.

    1. Fluffykins Silver badge

      Thanks for the offer

      Thanks for the offer but I'm sorry; not while there's dogs on the street

  2. Anonymous Coward
    Dead Vulture

    I believe there's something wrong here

    After reading through some of the links, I can see that the original posts actually only looked at file based exploits. And only a handful of them at that. So, pdf's are just the office productivity file type most commonly used to exploit computers in 2009. Not that Acrobat has more holes in it than any other software, or that Windows and IE suddenly don't have any issues.

    1. Ken Hagan Gold badge

      Re: something wrong

      Yes. Please could everyone actually follow the link in the article. The quoted figures clearly only considered Acrobat, Word, Excel and Powerpoint. Those four apps add up to 100% in both years.

      Nothing else was considered. Not even IE6, for fsck's sake!

      Um, er, "biased sample", anyone?

  3. armyknife
    Megaphone

    Two Words

    Foxit Reader

    1. Anonymous Coward
      FAIL

      Not just Adobe ...

      Also suffers from the problem.

    2. Fluffykins Silver badge

      Foxit would be OK but for paraisiteware

      Foxit reader tries to get the user to install Foxit toolbar along with Foxit reader.

      Also has the impertinence to try and make Ask.com the default search engine (though you can uncheck this)

      I used to think Foxit was OK, but I'll be trying Sumatra pretty soon.

  4. TheTallGuy
    FAIL

    No sh*t sherlock

    As an IT pro who looks after hundreds of thousands of machines, MS make it easy for us, Adobe is a f'ing nightmare, not getting rid of old versions stupid installers that insist on running in the logged on user context they really are nearly as bad as apple at windows software and that's saying something

    1. Anonymous Coward
      Stop

      @TheTallGuy

      "they really are nearly as bad as apple at windows software and that's saying something"

      ...but are they as bad as Microsoft at OSX software (or just any software for that matter!)

  5. Anonymous Coward
    Pint

    Is Acrobat 5 vulnerable too?

    I still use Acrobat 5, it does pretty much all I need, it starts instantly, it reads almost every PDF I've ever thrown at it (that's a lot).

    Is it vulnerable like the trendy new improved ones?

    1. Robert Carnegie Silver badge

      Adobe Acrobt!at/Reader 5 may be utterly stuffed.

      Try http://www.adobe.com/products/acrobat/readerupdate082005.html

      which is 4½ years ago.

      Apparently you could manually update to 5.0.10. If you haven't then you're probably already a zombie??

      The bug revelations never stop coming for any product edition - but the updates and patches do. All software release lifetimes a!end with unpatched vulnerabilities.

      (Well... I'll be mildly surprised if anyone is finding new vulnerabilities in CP/M. Or, imagine the altered course of the Second World War if German radio code machine operators transmitted a virus... or if Britain did.)

      MY office is using Internet Explorer 7 and Adobe Reader 7.0.5. Come and get us!

  6. Craig 2
    Unhappy

    Reader

    It really is shambolic that a glorified text reader is almost 40mb to download, and tries to shove extra crap with it. As someone already mentioned, Foxit Reader is great, but even they have started on the slippery slope with included bloatware. (Still worlds apart from Adobe though)

    Just as with <insert favourite hate target here>, something that starts pure and simple ends up being corrupt and bloated.

  7. Andrew Tyler 1

    Foxit

    Last time I went to install Foxit, it's installer was trying to sneak sketchy spyware by me. Its reputation is shot so far as I'm concerned. This doesn't imply I like Adobe, of course.

    1. Elmer Phud

      Foxit F#@ked?

      Not sure if it's sneaky spyware - unless it came fom a dodgy site that adds extras.

      There are a few things to untick or ignore but that's fairly normal with a lot of free s/w.

      It's a bit like saying Winamp is littered with spyware on installation - it just has a lot of stuff I don't particularly want so I untick most of the options.

  8. Sureo
    Thumb Down

    deaf dumb and blind

    Adobe doesn't want to know about problems with its products. I had a problem with reader wiping out my printers on Win7, and thought I'd report it to them. I could not find a link for that purpose anywhere on their web site. I now do my PDF printing with Foxit.

    1. Anonymous Coward
      FAIL

      Did you google 'Adobe Bug report'

      because that would have led you here

      https://www.adobe.com/cfusion/mmform/index.cfm?name=wishform

  9. Jared Vanderbilt
    Coat

    Rest easy Adobe. Microsoft is in the cloud.

    Thunderbolts will erupt from the heavens now. Millions of trousers will drop simultaneously when Azure tinkles.

    Mine's the rain smock w/ micro SD pockets sewn into the lining.

  10. Anonymous Coward
    Flame

    Lowest bidder

    Hello my name is XXXXXXX and I am here to help with your problem today i understand you are having problems with an app that was made by adobe by outsourcing all of their coding to some country that doesn't quite have rules or an education system that breeds programmers with any good sense and doesn't actually pay a decent minimum wage anyway the adobe shareholders are quite happy i hear and oh your system has been completely ruined by malware no you will need to reinstall windows to fix that and get a new credit card and maybe new car registration and maybe new phone number and address too thank you for calling adobe support

    1. Anonymous Coward
      WTF?

      No title in a reply

      I wasn't aware that any first world countries had an education system that breeds programmers with any good sense.

      While I would never state it during a review, most programmers are way over paid for their work compared to other equally skilled professions and we take far less responsibility for our actions. Not that I'm complaining, but we all really need to get off our high horses about pay and privellege. We're damned lucky to get the types of jobs we have, with the relativley high salary scales we've come to expect.

      1. Anonymous Coward
        Grenade

        Speak for yourself

        I'd quite like the chance to be overpaid for my work...

  11. Anonymous Coward
    Thumb Down

    @ Is Acrobat 5 vulnerable too?

    Yes it's vulnerable too it's just also unsupported ;)

  12. jake Silver badge

    Easy answer.

    Avoid both Microsoft & Adobe products. Works for me ... and as far as I can see, there is absolutely zero collateral damage.

  13. Anonymous Coward
    WTF?

    Another vote for Foxit

    Sure, Foxit Reader asks if it may install various other things during the install process, all you have to do is say no to them. Basic reading skills should see you through.

  14. copsewood
    Linux

    Evince

    Evince can be studied by anyone for bugs as it is open source. It also respects the legitimate needs of the person viewing a PDF and not the very easily overcome DRM intentions of the document provider, see:

    http://bcu.copsewood.net/sectheory/drm/ProtectedPdfCanBeCopied.jpg

    Opening a PDF on Windows from an untrusted origin using a closed-source viewer is asking for trouble, almost an invitation to a stack overflow attack. Anyone who uses software which meets the needs of the software supplier more than those of the software user deserves what they get.

    1. A J Stiles
      Thumb Up

      With you there

      I honestly can't see why anybody would touch computer software with a barge pole, if they were not allowed to inspect the Source Code.

      Nobody would buy a loaf of bread, if it didn't have a list of all the ingredients and the nutritional content on the wrapper. If you asked the staff at a restaurant what was in the dessert and were told it was none of your business, you'd walk out. Why does anybody think it's any different with computers?

      1. This post has been deleted by its author

      2. Anonymous Coward
        WTF?

        idiot

        Yeah, because the majority of people do understand optimised C/Assembler/what shit adobe works in.

        Get a life.

      3. chr0m4t1c
        Thumb Down

        @With you there

        At wild guess I'd say it's because life's too short.

        Have you really inspected (and *understood*) all of the source code of everything you have ever run?

        How about checked the circuit diagrams on all of the electronic gear you own?

        Have you inspected and understood the firmware of the engine management of you car?

        What about any other forms of transport you use?

        How about films, music and TV? Do you make sure you know how they were made before watching them?

        Don't forget, people buy bread "baked on site" from shops all over the place every day and almost none of those loaves have any ingredient or nutritional information on them.

        Now *I* can't see how you can function in society if you need to inspect every piece of complex technology you deal with. Or are you just happy with stuff that works or tastes nice like everyone else?

        1. Steven Knox
          Boffin

          No, but...

          "Have you really inspected (and *understood*) all of the source code of everything you have ever run?"

          No, but with open source software, I know I can, and often have. Further, I know there are people out there with more time who will, and will help the primary developers find bugs and vulnerabilities and fix them -- and that their job will be a lot easier with access to the source code.

          Electronics, cars, planes, even foods have much more strict liability on the producers than does software (most of which has the "if something goes wrong, it's not the developer's fault, even if it is" license model -- honestly, most software could include code specifically written to erase your hard drive, and the developer would have no liability under the terms of the license). Films and television have monitors to ensure that e.g, "No animals were harmed, etc.".

          "Now *I* can't see how you can function in society if you need to inspect every piece of complex technology you deal with. Or are you just happy with stuff that works or tastes nice like everyone else?"

          It's not about NEEDING to inspect the code, it's about having the OPTION to inspect the code. It's about developers either taking responsibility for the code they write, or letting others do so, rather than clutching the code to their breasts and blaming everyone but themselves when their software is pwned.

        2. A J Stiles
          Troll

          Too short *until*

          "At wild guess I'd say it's because life's too short" -- it's *only* too short until you need something, and find it missing.

          "Have you really inspected (and *understood*) all of the source code of everything you have ever run?" -- no, but the nice people at my favourite distro have, and sometimes they have even made their own little improvements. I've also done some (pretty low-grade, but there's not much to compare to the buzz you get when it builds) source hacking. I also like the comfort of knowing it's there if I should ever need it.

          "How about checked the circuit diagrams on all of the electronic gear you own?" -- all the ones I've ever had to mend, yes. (The diagram actually used to be pasted to the bottom of the inside, if it wasn't in the instructions.)

          "Have you inspected and understood the firmware of the engine management of you car?" -- I have no car. If and when I do obtain one, it will most probably have a Diesel engine with a mechanical fuel pump (the sort that works best with untreated vegetable oil).

          "What about any other forms of transport you use?" -- This is a straw man. For one thing, making sure the vehicle works is a matter for the operator to deal with, not the customers. In any case, the product I'm paying for is being safely transported from one place to another. The "Source Code" for a journey would be the itinerary, and that is published as part of the timetable.

          "How about films, music and TV? Do you make sure you know how they were made before watching them?" -- Another straw man. In any case, the "Source Code" (the script for a play / movie, the score for a song) can be deduced from the product as sold.

          "Don't forget, people buy bread 'baked on site' from shops all over the place every day and almost none of those loaves have any ingredient or nutritional information on them." -- but the shop staff would have to tell them the truth, if they asked.

          Are you seriously telling me you've never, ever had a "this would never have happened if we had the Source Code" (TWNHHIWHTSC) scenario? Or have you just failed to recognise them for what they were, when they have happened to you?

        3. jake Silver badge

          @chr0m4t1c

          "Have you really inspected (and *understood*) all of the source code of everything you have ever run?"

          A large portion of it, yes. It's kind of what I do for a living. For the rest, I trust the FOSS community keeping their eyes open. So far, so good. I can't say the same for and closed source I have ever run, except DEC software ... and I had access to the source for that.

          "How about checked the circuit diagrams on all of the electronic gear you own?"

          Yes, I know how the hardware works. I can debug to component level, and do occasionally. Granted, these days I usually go no further than board level ...

          "Have you inspected and understood the firmware of the engine management of you car?"

          Of course! How else would I reprogram the EEPROMs for better performance (in the sports cars) and fuel economy (in the tow rigs)? In the older vehicles, cam timing & lift and spark advance coupled with jetting in the carb(s) accomplishes pretty much the same thing.

          "What about any other forms of transport you use?"

          I work on all of it. Don't you? It's not exactly difficult.

          "How about films, music and TV? Do you make sure you know how they were made before watching them?"

          Well, I used to teach Broadcasting (KZSU and KFJC). I think I have a pretty good idea.

          "Don't forget, people buy bread "baked on site" from shops all over the place every day and almost none of those loaves have any ingredient or nutritional information on them."

          I bake my own bread, three times a week. Again, it's not difficult.

          "Now *I* can't see how you can function in society if you need to inspect every piece of complex technology you deal with."

          I function quite nicely, thank you. Why do you have issues with people actually understanding how the world around them works?

          "Or are you just happy with stuff that works or tastes nice like everyone else?"

          No, I'm not. I can't remember the last time I bought any pre-prepared food (cheese being a rare exception). I buy ingredients, and cook for myself. It's cheaper, healthier and tastier. I suppose you have issues with that, too.

          Yoof these days ... they don't care how, they just want it now. Sad, that.

      4. Martin Owens

        And...

        ...You just happened to be allergic to nuts and died on the way to the hospital from your lovely proprietary restaurant meal.

        You gotta wonder where they get all these "closed source is good" guys. I wonder if they have a breeder reactor churning out clones.

    2. Anonymous Coward
      Anonymous Coward

      Evince also sucks

      Recent versions of Evince has been dreadful- chewing CPU time and becoming unresponsive on relatively simple documents, on my quad core 3.16 GHz Xeon desktop. Not that impressed.

      I wish I could remember what I used instead last time, as it worked a lot better.. and I have a biggish PDF I need to go through :(

  15. zenkaon

    What i'm confussed about

    is why photoshop is so good. What's going on? When Adobe hire people do they give them a competence test?

    dev gets a A - you go and work on photoshop

    dev gets a B - you go and put vulns into reader

    dev gets a C - you go and make flash even "better"

    Or am I deluded? Is photoshop also riddled with the standard adobe "competence"?

  16. Anonymous Coward
    Anonymous Coward

    Adobe vs Ms

    "Adobe's ubiquitous Reader application has replaced Microsoft Word as the program that's most often targeted in malware campaigns"

    And this means that MS is getting better or Adobe is getting worse?

    1. Steven Knox

      Yes.

      "And this means that MS is getting better or Adobe is getting worse?"

      See Title.

  17. cmaurand

    Its still ActiveX

    That's the problem.

  18. Daniel 1

    Much easier to create PDF on the fly, these days

    The ubiquity of free code libraries that can write PDFs - including malicious PDFs, of course - must make the format an attractive attack vector, too. Hackers are fairly lazy people, on the whole. Such libraries exist for Office formats, of course, but it is worth bearing in mind that - in comparson to PDF - Word markup has evolved into a bit of a porridge of, sometimes mutually incompatible, formats that often need specialist software, to translate from one to another.

    This means that attackers can often only target a fairly limited subset of Word versions - in an environment where there may frequently be several different versions in common use at any given site. In a way, Microsoft has inadvertantly created a mixed environment of different targets, that makes malware propogation more difficult.

  19. Frank Bough

    Photoshop...

    ...is OK, as long as you're prepared to pay the laughably high purchase price and the insulting yearly upgrade fees. Why there's no competition in this market is a total fucking mystery. Look what happened when Apple decided to compete with Premiere...

    1. Anonymous Coward
      Anonymous Coward

      yeah but no but..

      Premiere was horribad, crashy, slow, clumsy. Photoshop is actually really good- unlike most other Adobe stuff. It works really well, even if CS4 is buried under features that should be in other software.

      Yes, it's horribly overpriced, and Abode are repellent, but it would be quite hard to compete fully with PS. Damnit.

    2. Mal Adapted
      Linux

      Photoshop...

      "Why there's no competition in this market is a total fucking mystery. "

      GIMP for Linux is free, and you can inspect the source if you don't trust it.

    3. A J Stiles

      No mystery

      "Why there's no competition in this market is a total fucking mystery" -- well, it shouldn't be!

      Adobe tolerate widespread piracy of Photoshop by private individuals. As a result, anybody trying to launch a photo editor ends up competing with a product costing nothing. These pirate copies *aren't* lost sales for Adobe, because these people wouldn't have bought Photoshop if they couldn't get a pirate copy. They *are* lost sales for anybody selling the cheap photo editor people would have had no option save to buy if they couldn't get a pirate copy of Adobe Photoshop (but which doesn't actually exist, because people *can* get pirate copies of Adobe Photoshop).

      Meanwhile, if Fred-in-the-shed with his pirate copy of Photoshop gets a job editing photographs, the company will probably be using Photoshop because that's what the general public are using. Had Fred been using some £50 photo editing software, the company might have paid for that instead, which *would* have represented a lost sale for Adobe.

  20. Jared Vanderbilt

    Acrobat 5 was Adobe's last internet unaware pdf viewer.

    It's considerably safer than the later Adobe internet enabled products with auto-downloaders, auto-updating, and application integration with God knows what; and all that crapware that runs in the background.

    Once you close Acrobat 5 there aren't any Adobe threads running on your system. Plus you can opt out of the update nagware.

  21. Tom 7

    Pointless Document Format

    Pisspoor Document Format

    Poisoned Document Format

    Why do people with computers send other people with computers documents formatted so they have to print the fucking things out to read them? Did people carry horseshit around in their cars, and wait by the grass verge in the early 20thC?

  22. John Tserkezis

    That's why.

    "I honestly can't see why anybody would touch computer software with a barge pole, if they were not allowed to inspect the Source Code"

    If you work within an industry that is so limited in scope you can afford to choose from the pool of free or open source code resources, then good for you. And have you considered wandering past your own cubical at any time?

    I'm in a environment where we have no choice other than rather expensive software to assist us with our job. The bottom line is, we *could* go back to the old days, do things by hand, and do away with computers altogether. Perhaps keeping the pocket calculators...

    However, this industry is highly competitive, one job numbers in the hundreds of millions of dollars, and when your client says they can get the same next door, with many more features, a fraction of the price and in the fraction of the time...

    1. jake Silver badge

      @John Tserkezis

      "However, this industry is highly competitive, one job numbers in the hundreds of millions of dollars,"

      I call bullshit.

      In my experience, any given two hundred million dollar+ contract/project will budget to create their own custom software, which by definition is open to the folks doing the work.

      Much of said custom software is (and has been) built on/by FOSS tools for over a couple decades now. But then I've only worked on a couple dozen quarter billion dollar contracts/projects. Maybe I've been sheltered from the real world ...

  23. Nuno trancoso

    Made my morning...

    @Mal Adapted

    You just made my morning :)

    First thing ill do when i get to the office will be to tell the art guys we are ditching PS and going for GIMP, cause a) its free and b) they can change it.

    That will make their morning too, and ill get some free beer as ty later in the noon for making them laugh a bit.

    Maybe its time FOSStards awoke to reality. a) was passed on to clients and b) we don't need to change that which works (unlike some cr@p they got along w/ a ex M firm...).

    Or, if i was in a foul "FOSStard shattering" mood, a) Its free cause no one would pay for that crap and b) you can change my crap all you want too, wont make it gold tough.

    @A J Stiles

    Might hold, but doesn't really. If said Fred in a shed could not learn PS for free, he'd have to pay a course to learn it, because the industry cant work with $50 garbage that disregards said industry's requirements or fails to meet their expectations or cant deliver in time, etc etc etc.

    And given that Paint.NET actually beats the living s..t out of 99% of said $50 apps while being free, said $50 apps have a "browser situation". They didn't loose sales because the "monopoly" played dirty. They lost sales because they SUCKED.

    Now, regarding previous paragraph, there's nothing stopping FOSS guys from coming out with a PS beating app, if only they get head out of @ss and start actually coding it instead of using the "GIMP is free" line.

  24. cstrzelc
    Stop

    Reader is terribly

    Even more so with javascript enabled. Disable javascript!!!!!!

This topic is closed for new posts.