On the periphery of the current RSA conference, Mikko Hypponen, the chief research officer of Finnish anti-virus software vendor F-Secure, has recommended that, due to security problems with Adobe Reader, users should switch to an alternative program.
Of the targeted attacks on managers, politicians and other high-ranking individuals registered this year, almost 50 per cent have exploited six security vulnerabilities in Adobe's PDF products. In 2008 it was Microsoft Word which proved the most popular target – with 35 per cent – for such attacks, although the number of vulnerabilities in Adobe Reader (19) was already exceeding the number in Word (15) by four. Hypponen notes that while the number of infected PDF files observed between January and April 2008 was just 128, over the same period this year it rose to more than 2300.
The attacks involve criminals sending prepared documents to their victims in order to infect and spy on their PCs. The methods used by the recently reported spy network which infiltrated computers belonging to the Tibetan Government in Exile also included crafted PDF files. PDF and Flash browser plug-ins also present a risk.
According to Hypponen, users often fail to update their applications and are not aware that important security updates have been released. Automatic update requests were also often ignored. In Hypponen's opinion, Adobe should establish a regular update cycle for its products in the same way as Microsoft.
Hypponen did not mention specific alternative PDF viewers, but merely referred to the website PDFReaders.org, which lists a number of free readers. The Foxit-Reader is, however, absent from this list. However the list does include open source readers KPDF (for KDE) and Xpdf, which were also recently found to contain critical security vulnerabilities very similar to those found in Adobe's products. Foxit has also previously harboured a number of critical bugs. Users will have to decide for themselves whether switching to an alternative PDF reader, or the rapid installation of security updates, represents the more sensible solution.
(dab)
See also:
(crve)