First, the company needs to be consistent about what they call it. One day it’s Acrobat Reader, the next it’s Adobe Reader, and if they want to be really formal and flowery, it’s Adobe Acrobat Reader.

Let’s call it what it is – PDF Reader. There, done.

Next, this current thing is so insecure that it needs monthly updates. What’s up with that? Are the same people programming Reader that used to program Windows? It certainly seems that way, because no other programs I know of require so much maintenance simply to keep the wolf from coming through the door.

Though Reader has been around nearly as long as Windows, it certainly doesn’t have the same number of lines of code to go through, but since it is a standard, it is important, and should become secure. The things that can’t be secured should be dropped. It’s that simple. Security tops any other concern.

Just yesterday we have an article in the columns of several publications, the one I’ll use here is from InfoWorld

Just weeks after patching a critical flaw, Adobe Systems is rushing out another patch for its Reader and Acrobat software. The company also patched a critical issue in Flash Player Thursday.

The Flash Player flaw could be used by an attacker to trick a Web browser into doing things that it shouldn’t, what’s known as a remote-code execution flaw, meaning it can’t be used to directly install unauthorized software on a victim’s computer, said Brad Arkin, Adobe’s director of product security and privacy.

I am not a programmer. After that disclosure, I feel it is important to disclose the fact that I did train to be one for a time, only stopping because other things of great immediacy intervened. What I did learn, during my time in school was that today, programmers have the ability to use tools that help build correctly formed code, and AI programs to iterate the programs more times than any team of programmers ever could, putting in any of a number of external conditions and actions into play, so as to simulate attacks and also the simple stupidity of a user, to test for all known conditions. The speed of computers today makes all of this possible, therefore, any of these types of behavior hanging around is simply unacceptable.

If the bug is exploited, “the attacker would be able to execute a general class of cross-site request forgery type of attacks,” Arkin said. Adobe rates the issue as “critical.”

Normally Adobe patches Reader and Acrobat in quarterly security updates, but Adobe is being forced to rush out next Tuesday’s fix because these products are also susceptible to the Flash Player flaw, Arkin said. “We decided that we wanted to get the update for Flash Player out to users as soon as possible,” he said. “We didn’t want to wait any extra time to do a coordinated release.”

In theory, hackers could learn about the bug by looking at the Flash Player patch and then use that information to attack Reader and Acrobat, but Adobe is giving them just a five-day window to complete this work. At present, Adobe isn’t aware of any attacks that exploit this Flash Player bug, Arkin said.

Users who are worried about the Flash Player bug being exploited in Reader can reduce the threat by opening documents outside of the browser, Arkin said.

Next week’s Reader and Acrobat update will also patch another undisclosed issue in the PDF-reading software, he added. The flaws affect Windows, Mac, and Unix platforms.

Adobe’s security has come under scrutiny over the past year as attackers have increasingly leveraged Reader and Acrobat flaws to hack into computers. Because Reader is installed on almost all desktop computers, a well-crafted Reader attack can affect more victims than one that targets Internet Explorer or Firefox.

Adobe’s next scheduled Reader and Acrobat update is due April 13.

Also on Thursday, Adobe patched an “important” bug in its open-source BlazeDS messaging software.

Since they are unable, or unwilling, to do the hard work necessary to fix this (and I’ll be the first to say that many times, it is easier to start over than to remove bugs) it is time to completely rewrite the program. It can’t be that hard, Adobe has paid programmers doing a job, and other products that do a similar job are programmed by far fewer people, sometimes one person, and don’t have nearly the number of exploitable flaws.

This is either a slam-dunk for the concept of open source, or a great claim for the reduction in pay for all the programmers at Adobe that refuse to do the job right. Either way, the outcome would be a program that would not need monthly updates, and could start a trend of software people could once again trust.


I take my wife everywhere, but she keeps finding her way back.Henny Youngman

Download Opera – A faster and more secure Web browser.

≡≡ Ḟᴵᴺᴵ ≡≡