18 Replies Latest reply on May 11, 2009 3:41 AM by kashifMohd

    Adobe Reader - Continued Vulnerabilities - Embarrassing

    deepvale Level 1

      It is simply embarrassing that Adobe can't stop releasing products with so many security vulnerabilities.  Do to the latest vulnerability in 9.1, our organization of over 5000 employees will never use your product again.  Additionally, the news is spreading quickly about all the vulnerabilities in Adobe and sooner or later no one will use it or move to another solution.

       

      In my opinion, the only thing that developers should ever work on again in Adobe Reader is security!  We don't need new features -- all users want to do is simply view PDF files!  This should not be a hard product to secure, and it doesn't need to be 138MB to install.

       

      I would understand is this was an incredibly complex application to secure like a Web browser, or email client.  But this is just a program for one simple purpose -- viewing PDF files!  Focus all efforts on securing the product and nothing else.  There is no excuse for another Adobe vulnerability.

       

      I am a software engineer and understand that programmers are human, but the repeated flaws in your software is simply embarrassing!

       

      http://voices.washingtonpost.com/securityfix/2008/02/hackers_exploiting_adobe_reade.html

      http://www.theregister.co.uk/2009/04/28/adobe_reader_flaw/

       

      I could spend hours posting links about all the previous flaws, but I don't have time for that.

       

      From now on focus on security in your product and nothing else whatsoever!

       

      If possible I would like to know who specifically is responsible for the latest fault.  They should probably be fired.

       

      We need to start pointing our finger at specific programmers who were at fault for vulnerabilities and have a database to search for history of faults.  Maybe this is the only thing we can do to make people care enough to design secure software.

       

      This is an embarrassment and Adobe's programmers should be ashamed.

       

      The question is... what will the new vulnerability be in the next "patched" version of Adobe!

        • 1. Re: Adobe Reader - Continued Vulnerabilities - Embarrassing
          ~graffiti Adobe Community Professional & MVP

          deepvale wrote:


          Do to the latest vulnerability in 9.1, our organization of over 5000 employees will never use your product again.

          I guess you'd better uninstall Windows while you're at it.

          • 2. Re: Adobe Reader - Continued Vulnerabilities - Embarrassing
            Azureman01 Level 1

            I completely agree...Vulnerability issues have been plaguing this software since its elementary stages.  Even some mediocre programmers can easily string some code together and come up with a superior result.  Anyway, i can be described three ways while surfing the web a) avoid phishing, b) avoid trojans and c)avoid anything with the adobe name

            • 3. Re: Adobe Reader - Continued Vulnerabilities - Embarrassing
              deepvale Level 1

              graffiti, Lets try and focus on fault.  This was Adobe's fault (probably a specific programmer).  Let's stay on topic and focus on finding the faults.

              • 4. Re: Adobe Reader - Continued Vulnerabilities - Embarrassing
                deepvale Level 1

                Azureman gets 10 points for correctly identifying the answer -- the next version of the "patched" software will have a vulnerability!

                • 5. Re: Adobe Reader - Continued Vulnerabilities - Embarrassing
                  ~graffiti Adobe Community Professional & MVP

                  All I'm saying is, it's software. This sort of thing happens. At least they work on a fix pretty quick (mostly).

                  • 6. Re: Adobe Reader - Continued Vulnerabilities - Embarrassing
                    ~graffiti Adobe Community Professional & MVP

                    Oh and, if you read the article, they're duscussing an old version of Reader (8.1.2) that has been patched for a long while plus there's a newer version available (9.x). You're late to the party.

                    • 7. Re: Adobe Reader - Continued Vulnerabilities - Embarrassing
                      deepvale Level 1

                      The articles I posted are just examples.  The point is, Adobe might have the worst reputation for software security.  And yes, the programmers should be embarrassed.

                       

                      All versions are impacted by the 9.1 flaw.  Why are you trying to defend Adobe?  Admit it, the security is among the worst of all Windows products.

                       

                      This is simply inexcusable.

                       

                      Are the programmers being bribed by malware authors to intentionally leave holes in their code???

                      • 8. Re: Adobe Reader - Continued Vulnerabilities - Embarrassing
                        pwillener Level 8

                        What is the point of this discussion? All software has flaws, bugs, vulnerabilities, malfunctions, errors, ...

                         

                        The larger a software, the more likelyhood that all these things are in it. Each time new functionality is added, chances are that new flaws are introduced.

                         

                        I find that Adobe reacts quickly when new vulnerabilities are discovered, and so far always before these vulnerabilities were actually exploited.

                        • 9. Re: Adobe Reader - Continued Vulnerabilities - Embarrassing
                          Cagekicker Level 1

                          I partially agree with this post, but I seriously doubt that an organization of 5000 employees can drop software just like that - and I also seriously doubt that a software engineerhas any say in whether said organization changes software at the drop of a hat...or vulnerability in this case. Why don't you get a job at Adobe and fix it?

                           

                          You should go to www.securityfocus.com and sign up for the notification on security vulnerability events...even Symantec has vulnerabilities in it that can be exploited...I signed up for ONE day before I got tired of the amount of email traffic generated.

                           

                          There's a vulnerability, there's a work-around for it to semi-block the avenue of attack. What Adobe NEEDS to work on is not just securing their product in a more organized manner, but also provide work-arounds that can't be changed by the end-users in a business environment. What's the point of creating a GPO to fix a setting when it can be bypassed on purpose or inadvertently????

                          • 10. Re: Adobe Reader - Continued Vulnerabilities - Embarrassing
                            TLC-IT Level 2

                            Nowhere in this thread have I yet seen what the oh-so objectionable vulnerabilities are.

                             

                            To be sure, Adobe has created an unmanageable nest of worms in Acrobat, with too many code-paths to properly maintain the quality level that users need in "something so utterly basic as a business form."  But, maybe all "old software" gets like that.  If the vulnerabilities are identified, one-by-one in a reproducible way, and trouble-tickets are opened for each one, they will be acted-upon by any professional team of software developers.

                            • 11. Re: Adobe Reader - Continued Vulnerabilities - Embarrassing
                              Cagekicker Level 1

                              If you subscribed to the various security notification mailing lists, such as US-CERT, Adobe Security bulletins, etc. than an email would be sent with the latest vulnerabilities. Currently, there's two vulnerabilities in the JavaScript function of Adobe Reader- and that's all I know about at t

                              • 12. Re: Adobe Reader - Continued Vulnerabilities - Embarrassing
                                TLC-IT Level 2

                                Vulnerability-lists like the one that you mentioned certainly are an eye-opener.  And I am also sure that Adobe's engineering teams subscribe to them every day.  Without disagreeing at all with your point that the list is rather-unacceptably large, this is not an indication of incompetence on their part.

                                 

                                Software developers who contemplate using any technology in a "secure" setting need to make themselves constantly aware of the content of (and the existence of...) these formalized lists.  This is especially true of technologies like Adobe Reader or Flash, which depend very heavily upon client-side functionality:  the client side is untrustworthy, and furthermore you have no control at all over what version of this-or-that is out there on any Internet user's machine.  It might be opined that "the vulnerabilities list will always be large, because both the white-hats and the black-hats are very active."

                                • 13. Re: Adobe Reader - Continued Vulnerabilities - Embarrassing
                                  Cagekicker Level 1

                                  Huh? I think you have two different posters point of views mixed up. I'm talking about the original poster complaining in a manner that doesn't get anything accomplished except to make himself look like an idiot.

                                   

                                  The vulnerability lists are there to let people know what security risks are either going to be mitigated or accepted until a patch is available (for the end user perspective).

                                   

                                  The only thing I think they need to change is their mitigation for these vulnerabilities (disable JavaScript) doesn't work. It prompts users with a question asking if they'd like to re-enable JavaScript, which is just STUPID and makes securing 400+ workstations not even worth the time it takes to create a GPO.

                                  • 14. Re: Adobe Reader - Continued Vulnerabilities - Embarrassing
                                    Azureman01 Level 1

                                    As an IT engineer for a company of over 10000 employees, i strongly advise against this software. To be anonymous we'll just call the organization "Inc."  Working at Inc. for nearly twenty years, i have become accustomed to all of Adobe's serious flaws in its security.  On numerous occasions I have spent hours trying to rid our system of trojans and malware.  Well, last Monday, Inc. had an especially large attack. Simply, the malware put on our system from a PDF reader - that's right, ADOBE! - infected all 350 computers on our network.  Still working to remove the trojans, I have made up my mind to never deal with this "lemon" of a program again.  To sum it up, using Adobe reader equates to several things: broken computers, slow production, and pointless hours wasted.  Thank you adobe for your "gifts."

                                    • 15. Re: Adobe Reader - Continued Vulnerabilities - Embarrassing
                                      pwillener Level 8

                                      You forgot to mention if all 350 infected computers had the latest patched software on them?

                                       

                                      If you don't apply available security fixes for operating systems, browsers, document readers and media players, then you can hardly blame anybody else but the computer owners responsible for their maintenance.

                                      • 16. Re: Adobe Reader - Continued Vulnerabilities - Embarrassing
                                        Azureman01 Level 1

                                        Patrick, come on...I have been in this field for too long to not know "If you don't apply available security fixes for operating systems, browsers, document readers and media players, then you can hardly blame anybody else but the computer owners responsible for their maintenance."  However, it seems as though that even you are forgetting that even the new patched version has some serious vulnerabillities. And even the previous "patched" version possessed its own wide array of problems.  Why are you arguing for flawed programming????    (i don't mean any disrespect, i am merely frustrated from Adobe's severe problems)

                                        • 17. Re: Adobe Reader - Continued Vulnerabilities - Embarrassing
                                          pwillener Level 8

                                          There is nothing to defend - all software that consists of more than a few thousand lines of source code will have flaws and bugs in it. There are a number of security companies out there that try to find these flaws, especially vulnerabilities, before the bad guys can exploit these, and software companies will try to provide fixes before these vulnerabilities are actually exploited in the field.

                                           

                                          There are other PDF viewers available that are much smaller, and most likely with less vulnerabilities. I tried one (Foxit) out of curiosity, and it offered me some FREE spyware (Ask toolbar, disguised as "Foxit toolbar") during the install. I unchecked the spyware, but it was installed anyway.

                                           

                                          So when it comes down to make a choice between these two softwares, I will select the one that does not sneak spyware on my computers.

                                          • 18. Re: Adobe Reader - Continued Vulnerabilities - Embarrassing
                                            kashifMohd Level 2

                                            I think Adobe software is targeted because of two reasons;

                                            1) As said by Pat it's a big piece of code and hence there's more likelyhood of finding bugs in it.

                                            2) Since Adobe has a big brand name and its products are used on millions of computers worldwide hence more hackers tend to target it as one vulnerebility can be used to target millions of machines (that means a huge chunk of effort is applied to break it). But even after so much effort number of issues is comaparatively less.

                                             

                                            I don't think any other PDF solutions come even close to Adobe products. Believe me you just don't hear about the number of vulnerebilities in those other small products but that doesn't mean that they don't have any