Why Are You Still Using Adobe Tools? 4
2014 Update:
Adobe is at it again. This time violating paid customer privacy.
Adobe spies on readers: EVERY page you turn, EVERY book you own leaked back to base
Time to start blocking adobe domains, if you don’t already.
adelogs.adobe.com is one.
Adobe has been plagued with security issues in their most popular tool, like Acrobat and Reader. These issues seem to be on all platforms, but are mostly targeted by hackers on MS-Windows. For years, we’ve known that Acrobat allowed PDF documents more access than most people need by default – JavaScript and the ability to start other programs running on the system. 99% of Acrobat Reader users do not need or want either of those features, yet, they are enabled by default.
Adobe has been slow to correct issues and claimed to be on a quarterly patch cycle. This is for Flash, Shockwave, Reader and all products including PhotoShop. For almost all of these tools, there are alternatives that are not the main targets of hackers.
So, I gotta ask …
Why are you still using Adobe Tools?
Why are Adobe products loaded on your system at all? Do you not understand the risks?
These days, if you are running MS-Windows and going onto the internet with it, you need to disable flash, shockwave and javascript to significantly enhance the security of your system. Seriously.
Adobe does make a few products for about $1000 that I can understand you need loaded. Tools like PhotoShop are usually part of your livelihood or job. There are substitutes available, but those other tools are clunky or not really substitutes. Still, I would keep PhotoShop patched and up to date as much as possible, but still completely avoid Flash, Shockwave and other free tools from Adobe. You don’t need them.
Flash
Using flash simply isn’t needed for 90% of the internet to work. Most websites that do demand flash fall into 3 categories – fan sites (yawn) or gaming sites (yawn) or adult sites. For most people, these sites are time wasters when we should be doing something else. There are a few other types of sites that have a small part in flash, but usually the main site is still HTML/CSS and works just fine without flash.
JavaScript
Allowing JavaScript on every web site simply is not necessary. By default, most sites that I visit work well enough without any javascript support. If a site is unusable without javascript, I may enable it for just that single domain temporarily by using a FireFox extension named NoScript. Today, most web sites pull content from 5-10 other affiliate websites for display. Most of that affiliate content is for ads and controlled by javascript. Most of the time that javascript is required for a web site to work, just enabling it for that domain and no others will let you see what you want without significantly increasing the risk to your system.
Acrobat Reader or Distiller
If you simply need to view a few PDF files, use an alternative PDF viewer.
- On Linux, evince
- On MS-Windows there are a few alternatives, but I use PDF-Xchange.
To create PDF files, you usually need Acrobat with Distiller for about $300. There are many alternatives for that as well. If you use the free and open source Open Office suite, then you can simply Save As PDF. Or you can install free versions of other PDF tools, usually as printer drivers, like PDF995 or CutePDF. There are others including web services that you can upload your source document and they will return a PDF document for free. Check out what LifeHacker has to say about PDF document creation.
You Want Most of the Adobe Tools AND don’t want to Risk Your System …
Don’t use Microsoft Windows. Run Mac OSX or Linux or Solaris or FreeBSD or HP-UX, just not any version of MS-Windows. They are not safe.
I suspect much of this post is a shock to most of you. Some will think that I’m overstating the risks. But it isn’t just me. Computer security professionals everywhere are saying that most attacks against corporations will be with flaws in Flash and PDF file handling.
Ok, no hacker is targeting you directly, well, probably not. They are targeting everybody. That includes you and me. They do not care whether you know anything about security or not.
This is serious stuff.
The problem with computer security is that for every 1,000 times you click on your computer, 999 will do no harm, but that single time that does harm your system will force you to completely wipe everything and start over at best. Or stay hidden for years at worst while transmitting almost every keystroke you make on the PC back to control servers.
How I Do It.
- I don’t use MS-Windows for my daily use machine. I’m currently using Lubuntu 10.04, but any non-Windows system is fine.
- I have Flash and Javascript disabled by default for websites, until I decide the site is trustworthy.
- I use MS-Windows for non-internet related things and avoid using email or web browsers on those systems.
- I patch all systems – MS-Windows and Linux within a week of security patch availability.
For more details, see the Security for Desktop Windows PC article here.
Be careful out there.
Trackbacks
Use the following link to trackback from your own site:
https://blog.jdpfu.com/trackbacks?article_id=717
Another really bad flaw – that’s the 2nd this week in Adobe programs.
Seriously, if you don’t need Adobe to make a living, be very, very, very careful. The leadership of that company doesn’t seem to understand or appreciate computer security or they would have made the hard decisions a few years ago to make their programs more secure.
So, Adobe is still patching a HUGE number of flaws in Acrobat Reader – 23 more bugs just this week.
When I did software development in a CMM-5 process, we used the amount of errors found in code reviews to help predict the total number hidden in the same code. It was 80% likely that we missed a bug if 2 coding errors were discovered in a single review package. 80%! We’d send the coder back to look for more and reschedule a review for the following week. Most of the time, that follow up review process would find at least 1 more error.
When I see 23 bug patches, I’m freaking out. That means there are thousands and thousands of bugs remaining statistically in Reader still.
Don’t use Adobe Software if you care anything about security.
Flash may be a different thing, since it wasn’t developed in-house at Adobe, but it has been there for years, so Adobe’s bad coding habits have probably gone all the way through the Flash development team.
Don’t use Adobe Software. That’s all I can say.
Adobe Acrobat 10.x changes your security settings without asking.
It is being reported that upgrading to Acrobat Reader 10.x ignores your previous settings for running 3rd party applications and running javascript. I don’t have any Adobe software, except Flash installed on my systems, but this is proof that Adobe just doesn’t get it.
BTW, you probably want to disable Javascript AND disable 3rd party apps being launch from PDF files. Only a small number of users in corporate environments will ever use these features. At home, I’ve never needed them. NEVER.
I have to ask – WHY ARE YOU USING ADOBE PRODUCTS STILL?
And it continues. Adobe has failed to take needed steps to secure their software.
WHY ARE YOU USING ADOBE PRODUCTS?
I think we’ll be going over similar issues 2 years from now from Adobe software.