Another day, another Adobe Acrobat vulnerability. I don’t know about you, but Adobe’s Update tool is a cheery presence on my computer, and I welcome its seemingly daily intrusion into my life to update software that I only use now and again.
In case you can’t tell, I’m being sarcastic. </Homer>
But this is actually a serious issue. McAfee reckons that, by the end of 2010, Adobe Acrobat will represent the number one target for hackers who want to compromise your system. We might joke about it but these vulnerabilities are very serious for individuals and businesses.
Hackers have even begun to take advantage of the fact Acrobat is updated so frequently, sending fake spam e-mails to individuals claiming to offer updates. The situation really is a mess.
Just what is the problem with Adobe Acrobat? Is it really pushed out of Adobe’s door full of more holes than Swiss cheese? Or does Adobe merely have bad luck?
The answer boils down to differing perceptions.
To you and me, PDF files are a quite useful way of distributing documents in read-only format. End of story.
To Adobe, it’s a little more complex. As its Website says, “Portable Document Format (PDF) is the global standard for capturing and reviewing rich information from almost any application on any computer system and sharing it with virtually anyone, anywhere.”
To you and me, the Acrobat Reader software is a handy app that gets fired up every now and again to view PDF files.
Can you see the problem? The security issues have their origins in the fact that Acrobat and the PDF format are just so darned complicated (and, for what it’s worth, the bolted-on extras are why it takes Acrobat so long to start-up).
PDFs are not just a handy way of distributing documents. They haven’t been for years.
It’s tempting to accuse Adobe of adding in bloat, but that would be unfair. PDF is a useful business document format that offers a number of functions that are vital to some corporate workflows, such as digital signing. The trouble is that a comparative minority of users need such high-level functionality, but to make a valid business case for using PDF, Adobe must ensure all versions of its PDF software are entirely compatible with every bell and whistle.
That’s why we end-up with massively overengineered and buggy software that almost everybody uses merely to view simple PDFs (and, occasionally, fill in forms).
One solution is to use other freely available PDF readers, such as FoxIT or Sumatra. But don’t think these are perfect; FoxIt was recently updated to fix a number of vulnerabilities.
The all-new Acrobat X features a ‘sandbox’ environment, like Google’s Chrome Web browser, which is able to contain any potential threat and make it significantly harder to compromise a system. However, the efficacy of this is yet to be proven.
But there is a way for Adobe to have its cake and eat it. All it needs do is release a “light” version of Acrobat that’s missing all the bolt-ons that cause the majority of security issues. In other words, it would be a version of Acrobat Reader that does nothing other than display the majority of PDF files out there right now. People have been hacking their own versions of Acrobat for years to do something similar by removing various plugins.
Yes, this might cause problems for certain users, but if anybody should happen to open a PDF that has sophisticated functionality then a dialog box could pop up, asking if the user wants to perform an automated upgrade to the full version of Reader.
Having distributed my own PDF files, I’ve learned there are a great many people who cling to old versions of Acrobat Reader–versions that are five or even 10 years old. They do so simply because Adobe Acrobat has turned into a beast they no longer want on their system. Producing a lighter version of Acrobat Reader could help claw back such users, along with those who have switched to rival products such as FoxIT and Sumatra.
So how about it, Adobe?
Keir Thomas has been writing about computing since the last century, and more recently has written several best-selling books. You can learn more about him at http://keirthomas.com.