When I read that comment I decided it was time to uninstall Adobe Reader and found it was taking up 145MB of disk space. Many thoughts went through my mind. Maybe there was whole virtual civilization in there and I just wiped it out. Maybe Adobe Reader is skynet and I'm John Connor. Maybe it was time to find a new PDF viewer.
My first try was Foxit. I found its short name promising. The installer confused me with talks of Javascript and safe mode, did not look good. First paper I opened crashed the program. *sigh. Sumatra was had the colourful charm of the web in the 90s. I was almost ready to give up the resistance. I took a deep breath and clicked the link of the installer. Before the next breath it was installed and I was opening PDFs that looked just fine.
Yeah, Foxit is getting pretty bloated too. My PDF reader of choice on Windows now is Evince. It may not look pretty, but it's fast and lightweight without any fluff.
I've no problems with its looks, but is there a way to not start with "fit page width" and therefore a bigger window? I always have to resize and change the modus which is unpleasant. (on Windows) Thanks in advance!
ACtually you don't need to install another app... Once you removed Reader, just set the pdf filetype to always be opened by GoogleChrome. It views, prints, and it's blazing fast
I was actually serious. When Chrome came out I left Firefox since Chrome was so much faster on my PC. Same thing with Sumatra. I guess the analogy would work well for those who had a similar experience with Chrome. :)
That much I guessed. I just wondered if you realised that Chrome itself has a PDF viewer built-in these days, making Google Chrome the Google Chrome of PDF readers. :-)
Yep. Sumatra is great for snappy viewing. But do not print! What it does is convert whole pages in bitmaps and chokes the memory and the network.
I would strong recommend PDF-Xchange. I was a heavy Foxit user, but then it became bloated too and Sumatra lacks some features like highlighting and commenting.
Because Adobe has some kind of serious systemic code quality issue and they get beat by exploit writers all the time. It doesn't help that their applications are so popular and widely installed that they present a juicy target. I refuse to have acrobat installed, and I'm super paranoid about where I let flash run.
If you have flash and acrobat installed and let the plugins run anytime a site requests them you're begging to be owned (and owned and owned).
That last statement might be a tad exaggerated....
I've been using Flash and Adobe/Acrobat reader for years and have yet to be "owned" through either channel, and I spend a lot of time browsing the web.
Obviously I can't speak to your situation specifically, but it is very common these days for people to have malware that was installed through an exploit that they've never detected - indeed it can be very difficult to detect a lot of modern malware without in memory analysis and skilled forensics. Signature tools and things like malware bytes are extremely hit and miss. OS X and linux are even worse off (at least with standard configurations) once something has done a remote code execution and gotten a privesc.
Poll a few people who do security work and ask them if they have acrobat or flash or the jdk installed at all, or running on pages by default. You'll hear about the same thing.
Even 5 years ago was a very different world as far as threats go.
I'd strongly suggest using an alternate PDF reader (apple, google, evince, sumatra) and using flashblock.
Without wanting to go into more details, I work a job that makes me see and analyze more Adobe vulnerabilities than anybody else outside of Adobe.
Having said that, I run both Flash and Adobe Reader (and Foxit for dubious stuff) on my normal machine. The number of 0-days exploited in the wild is not actually that big (I'd like to see stats here but I am not aware of any) and the odds of being hit by an 0-day exploit is really low. When people get owned through Adobe exploits, it is because they are not updating regularly.
I definitely agree with you that when (most) people get owned it's because they're not updating regularly - and I don't want to discount your opinion at all as clearly you're in a position to know the risks.
But (as I'm sure you know) Adobe does have 0-days quite often and can take weeks to distribute a patch. The sep 14 cve-2010-2883 drop for example was being exploited seemingly quite widely by ~sep 20, and Adobe didn't push a patch until Oct 4. That's a pretty big window to be open to a drive by iframe vuln. Also, doesn't adobe updater take 7 or 14 days between update checks? It used to, at least.
The thing about not running them at all (or on opt-in) is it also mitigates some of the danger in update lagging. It seems a majority of the time when I touch someone else's computer they have an adobe product that's out of date and being actively exploited (on the internet) - even if they appear to try to keep up to date with the patches.
I got nailed by some Whitesmoke Translator malware that seemed to re-appear every time Acrobat updated. I eventually just wiped my HD and upgraded to windows 7 which I had been putting off for a while. Nothing like a good virus to convince you it's time to wipe your HD.
An honest question - to you or anyone who basically feels the same way:
What methods do you use to determine if you're running hostile code? How often do you look? Do you check from another OS? Keep hashes of system files?
Let me expand on the theory that most malware hosts have absolutely no idea (and not just the dumb ones):
Once installed many threats actively evade AV, personal firewalls, and code signing requirements. Are you booting a livecd and checking hashes of the boot block and boot chain against previously saved values? What about the hash of your EPROMS?
I understand that sounds very paranoid - but advanced toolkits that attack the BIOS or boot loader are widely available. Are they only for juicy targets? TDL4 - an advanced threat that starts in the boot block and has used private 0-days - is engaged in the super spy thriller business of clickfraud. $10k will buy you a kit from Israel that inserts similar code into the system BIOS and is designed for non-techies to deploy.
Expecting to see increased resource usage? CPU, RAM, network speed are all far outstripping most actual application needs and the resources needed for a keylogger, afinity rewriter, ad inserter or similar are vanishingly small.
Expecting a signature hit in some security software? Authors check their own code frequently - when signatures get deployed that catch them they simply recompile and tweak until they're undetected again.
Expecting pop up ads, AV scareware, spamming activity or fraud alerts on your credit card? Some threats are like that, yes, but shrinking. Just as or more likely are threats that manipulate search results, add affiliate tags to big ticket items, slip paid SEO links into blogs, steal your banking credentials but decide you're too poor or in an inconvenient county or steal company IP/plans/etc for chinese, russian, french, korean etc. competitors - the impact of which may take years or never be identified.
Expecting unknown, suspicious or hidden processes? Hiding in plain sight is a common and effective tactic. Can you tell the difference between a game installed codec, a useful codec with legal clickstream collections installed by a torrent downloader and a codec that was installed by exploit and rewrites your network traffic? Looking at a process list how many are you positive were running last month? Can you tell if skype is loading a dll or so that it wasn't before?
Think you're an unlikely target? Odds are that's true. However, automated tools can be deployed against thousands of targets and if only one or two have something really juicy it was a worthwhile effort. Proprietary IP of almost ever type has some value to someone be it term sheets, source code, M&A data, business process, sales leads, P&L data etc. Could your SO think you're cheating? Smartphone malware sold for 3000 yaun (~$450) supposedly marketed to houswives was found running on 150,000 chinese phones - it real time tracks your location, records audio, video and pictures regularly or on demand, steals credentials and all email/im/sms traffic. If you're of no interest it's possible your next door neighbor is, or his girlfriend, or someone who gets coffee where you do.
20 years ago malware was made by hobbyists. 10 years ago malware was made by small independent businessmen and specialty concerns. 5 years ago malware was made by organized crime, corporate espionage and intelligence agencies. Today malware is made by private organizations with hundreds of employees and traditional office space, teams supporting major M&A lawyers, the FBI to execute wiretapping warrants, defense contractors, ad networks, energy companies, virtual currency resellers, intelligence services conducting broad surveillance on foreign populations and security services conducting broad surveillance on their own citizenry.
One reason you don't hear a lot about it is there are very few practical solutions out there to be implemented. Microsoft, Google, Apple, Oracle and Intel are all making inroads to various degrees but practically it is decidely a losing game so far. For the time being their profit margins depend on people not getting scared away. Law enforcement and Intelligence services that might have warned against such threats in another era are by in large too busy exploiting them.
I fully understand that this all sounds very tinfoil hat and extremist. All the examples given are real and happening to very real people every day. The threat model has radically changed - it may just take another 3-5 years for everyone to understand the new rules.
This might be a paranoid way of looking at it, but certainly true. Stuxnet was and is deployed on thousands of computers for several years until they found it. I wonder how much else is just sitting there undetected.
Make sure the user account that you run flash and adobe reader under is not privileged. I hosed my account once on a bad pdf, but it didn't get past the one user account.
be aware that pretty much anything doing a remote code execution follows it up with local privilege escalation exploits - which are rather common and frequently don't get top priority for fixes.
Worse, it seems to require a full computer reboot. Every. Time. This implies it is hooked so deeply into Windows that if Reader sneezes, Windows will get an appendectomy.
Win 7, but, on reflection, I'm not being fair to Adobe. I just remembered I have Acrobat installed on that computer, not just Reader, and it is undoubtedly Acrobat updates that are causing my reboot pain.
Not only that, but I have Foxit as my default pdf reader, and when I update Reader on Win7, it forces itself to become the default reader --- WITHOUT MY PERMISSION. This is just aggressively rude of Adobe.
I have exactly one reason to launch Reader by itself: when setting up a computer for another user in my organization, I launch Reader once to accept the license agreement on his/her behalf. Then I delete the icon.
On two occasions, my wife received PDF monstrosities via her school. The first time, I was astounded at the size of a PDF we had to download. When we opened it, it contained a movie. I was dumbstruck.
The second time, I tried to open one with Foxit and was informed that I MUST use Acrobat, which I dutifully installed. This PDF was actually a browsable archive of OTHER PDFs.
We already have video files, and even streaming video. We already have zip files. I want to beg Adobe to stop the madness, but if they've already put an email server inside Reader, there is truly no hope.
Have you tried Ctrl+S or selecting 'Save page as...' from the wrench menu? I'm running the dev build so I don't know whats in beta or stable, but I get a nice little dialog box to save the pdf.
That re-downloads the file from the server, whereas the Adobe plugin keeps a cache of the file and saves it straight to disk. Most of the time there's no difference, but if the PDF came from a single-use URL provided by your bank to view a statement, then there's no way to save the PDF file from the Chrome viewer.
That is certainly a big usability oversight (especially with large PDFs), I remember Chrome used to do that with images as well.
However, if those PDFs are requested via HTTP, unless the bank gives appropriate caching headers I think Chrome is technically correct in re-requesting them: they might have changed in the meantime. (I assume it does the same with webpages when you save them.)
The fact that the bank gives you a URL you can only HTTP GET once does sound like very bad implementation on their behalf. Perhaps it's a cookie issue, or even a bug in Chrome itself?
I don’t consider that to be the correct behavior at all. When I want to save something I want to save it exactly as displayed. Requesting the page again could defeat the whole purpose of saving the page.
Here is one example: You opened the front page of some news site a few hours ago and now want to save it. Since news sites change frequently you would save a completely different page compared to what you actually wanted to save if the page were re-requested when saving. This is destructive behavior! No browser should do that.
(I just tested what Google Chrome actually does. It does not actually re-request the page when saving.)
I'm using Chrome 8 on linux, and Ctrl-S in the pdf viewer most definitely does not re-download the file. I know this because when I do that, Evince cannot open the saved file (the Chrome version has stuff at the end that the original does not). I always have to go back to the linking site and select "save target as".
With you 100%. Except for when I had to read documentation for the UPS API, which requires Reader (by design). Terrible. This isn’t a PDF, it’s an abomination. http://yfrog.com/4ewijp
I actually view Chrome's PDF plugin as a complete abomination (at least on the Mac), and go out of my way to nuke it. It's slow, and there is _no_ easy way to open the PDF displayed in a PDF handling app (i.e. Preview) without resorting to copy and pasting the URL into wget.
You can open PDFs displayed in Safari in Preview without saving them to the disk. (There is also a button that puts the document in the Downloads folder.) Chrome’s PDF viewer is better than Adobe’s plugin but worse than Safari’s PDF viewer.
> "At least with Adobe Reader all the crap comes from the same company."
Actually, last time I updated Adobe Reader it came with a copy of McAfee something or another...
That was when I nuked all traces of Reader off my system. Not only is their software crappy, bloated, and slow, but it's also a crapware vector to boot.
If I were a dev on the Reader team, I'd be pretty depressed about my life - millions of people cursing your name, eviscerating your product in forums and boards everywhere, everyday... and they're right.
The fact that millions of people are using their software and the fact that they have a real problem to solve (to silence the haters) does not sound so depressing to me. On the contrary many developers would be happy to have such a problem
This is one of the main reasons why we launched crocodoc.com, to do the same thing to Adobe Acrobat that Gmail did to Outlook: Take a bloated offline application, bring it online, make it easy to use, and make it accessible to the masses.
When you think about some of the most common reasons why people use software like Acrobat and Word (e.g. viewing a document, filling out & saving a PDF form, commenting on a presentation with a group), these are all things that should be easy to do online or on your mobile device. That's the vision we're working towards at Crocodoc: view and collaborate on any document on any device.
Ech. What a horribly inaccurate and confused post. Somehow the writer managed to completely conflate Adobe Reader and Adobe Acrobat, two related but different products. I'm not one to defend Adobe, but this misinformed raving doesn't shed light on anything.
The full PDF standard, for which Reader is the reference implementation and things like Foxit serve but subsets, is also much larger than you think it is.
It's amazing that Windows hasn't got even a tiny back-to-basics PDF viewer included by itself. (Or maybe the more recent versions do?)
I've been using evince (or whatever it is that ships with Ubuntu this year) for years and never even considered that there might be a case where one would want to install a separate PDF viewer. Before that, xpdf was the standard reader and it was enough, too. Maybe Linux desktop isn't that bad all together.
I left Acrobat when I left Windows :) I feel like it is one of the first things my mom would download and install after a fresh Windows XP format/install.
I was seriously annoyed recently when my former employer's payroll software required that I have Adobe's PDF plugin installed to download my W2. It wasn't a .pdf link, no; it insisted on using the plugin before it would let me save a copy.
This app refreshes too frequently. That one refreshes too infrequently. Then I installed this other one and it refreshed just right. Then 3 Bears came in and crushed my computer.
Ever since 10.1 the Flash updater is ridiculously fast and never asks me to restart my system. Easily the best automatic update experience among the various programs that constantly need to update themselves.
Now that Flash is baked into Chrome, if you only use Chrome you never have to worry about Flash updates. Last time a new version was announced, I was surprised to find it had already been automatically updated for me.
I'm still a Firefox devotee, so I don't have first-hand experience with Chrome.
However, I'm not sure there's a good way for Flash to provide that kind of seamless update experience in the same way. It's not an application in itself, so it can't check for updates with the consistency that a browser can, and when it does run it's always to immediately execute whatever flash content was requested, so there's less leeway for it to start updating itself in the background and potentially impact performance. Currently it pops up a window on startup every once in a while (I skipped it the first time and it didn't bug me again for maybe 2 weeks) and its maybe 2 clicks and 20 seconds of downloading. It's not Chrome-level seamless, but it's pretty damn good and I was surprised by how good it was compared to Acrobat and every other updater I've used in the past.
Chrome has a background process that does the updating for it, Adobe could in fact use the same code Google does if they wanted (and it'd likely be much higher quality than anything Adobe wrote for themselves!):
http://code.google.com/p/omaha/http://code.google.com/p/update-engine/
Flash isn't an application? Sure, it's primary usage is as a plugin, but you can be sure it's an application too. And even if there aren't EXEs anywhere (there are), why wouldn't they bundle one specifically for auto-updates. The rest of the industry needs to get on board with auto updates. Or Windows and Mac need to work on some sort of package management.
I mean application from the user perspective, i.e. you don't go: "Hey I'll start up Flash and do something with it." Other things start Flash, the user never just starts Flash on their own.
My first try was Foxit. I found its short name promising. The installer confused me with talks of Javascript and safe mode, did not look good. First paper I opened crashed the program. *sigh. Sumatra was had the colourful charm of the web in the 90s. I was almost ready to give up the resistance. I took a deep breath and clicked the link of the installer. Before the next breath it was installed and I was opening PDFs that looked just fine.
TL;DR remove adobe reader, install Sumatra