F-Secure Says Users Should Stop Using Adobe Acrobat Reader
As if the fact that Adobe Acrobat Reader is bloated and slow isn’t enough, more than 47 percent of attacks this year exploit holes in it. With all the Internet attacks that exploit Adobe Acrobat Reader people should switch to using an alternative PDF reader, a security expert said at the RSA security conference on Tuesday.
Just last month, Adobe issued a fix for an Acrobat Reader hole that attackers had been exploiting for months, after issuing a patch for a critical vulnerability in Flash player the month before.
In 2008, the favored targeted attack vector was Microsoft Word, which had 15 known vulnerabilities (compared to Acrobat Reader’s 19) and which represented 34.5 percent of the attacks (compared to 28.6 percent for Acrobat Reader).
Top-level executives, defense contractors, and other people who have access to specific sensitive corporate or government information are subject to targeted attacks where an attacker sends a file that has malicious code embedded in it. Once the file is opened, the computer is infected typically with a back door that then steals data.
PDF and Flash browser plug-ins are also used in attacks known as “drive-by downloads” in which malware is surreptitiously downloaded onto a computer while the user is surfing the Web. The number of PDF files used in attacks rose from 128 between January 1 and April 16 last year to more than 2,300 in that same time period during this year, said Mikko Hypponen, chief research officer of security firm F-Secure.
Adobe “has a lot to learn from, of all places, Microsoft,” which offers regular security patches on a monthly basis as part of Patch Tuesday, Hypponen said.
Part of the problem is people don’t expect that Acrobat Reader upgrades necessarily contain important security patches like they do with Microsoft software, he said.
Hypponen did not recommend a PDF reader, but said Acrobat Reader alternatives are listed on the PDFReaders.org Web site. An obvious Acrobat Reader alternative for Windows would be Foxit Reader. A ZIP package with a latest version that needs no installation can be downloaded here.
Credit: CNET News
More on CyberInsecure:
November 7th, 2010 at 1:16 pm
Foxit requires you install their toolbar into your browser.
November 8th, 2010 at 5:28 am
Gene: No, its not mandatory. You can use it without installing the toolbar.