Re: Adobe Alternatives

[Stephen Mullins <steve.mullins.work () gmail com>]

How much trouble would it be to bundle a Foxit exploit in a .pdf file
containing an Acrobat/Reader exploit?  Adobe easily maintains over 95%
of the .pdf reader market, so obviously it would be both a waste of
time and resources to develop exploits for alternative readers and
then actively try to utilize them.  On the other hand, if the bad guys
aren't paying much attention, neither is anybody else.  That means an
alternative .pdf file viewer could have an active exploit floating
around for a very long time before it was detected (IF it is detected,
virtually all professional organizations use Adobe and a home user
would experience the secondary payload and not know how it got there
so nothing would be reported).

I don't have a lot of faith that some obscure freeware program is
necessarily more secure.  It might make you feel more secure because
you don't hear about exploits being released every other week like you
do with Acrobat, but in reality you may be worse off.

You're hoping that nobody bothers to develop exploits for the
alternative program, and hoping that even if they do, you won't run
into their payload delivery method because most of the malicious .pdf
documents are targeting Adobe.

So which is better?  Fully patched Adobe Acrobat/Reader with dozens
(hundreds? thousands?) of "researchers" of every stripe pounding away
at it day and night to discover vulnerabilities, or an obscure third
party program that *almost* nobody bothers to look at?

In the one case you're secure until the next Adobe exploit, and in the
other case you're just playing percentages and hoping for the best.

Just throwing some thoughts on the matter out there.

Steve Mullins

On Tue, Sep 29, 2009 at 10:53 AM, Jeffrey Walton <noloader () gmail com> wrote:
> Hi Ron,
>
> > Moving to one of the alternative viewers ... could be
> > considered "Security by Obscurity".
> How so?
>
> I'm concerned about the basic CompSci 101 stuff such as validating
> parameters. From my observations, I don't believe the company
> practices 'the basics' or dutifully follows techniques laid out by
> folks such as Howard and LeBlanc [1,2], or McGraw [3], or Viega (et
> al) [4]. In the titles below, 'Security' does not refer to using AES,
> Camellia, SHA, or Whirlpool.
>
> It was not lost on me that Adobe was nailed with another overflow
> today (post dated 9/26) [5]. Yet another CompSci 101 failure.
>
> Jeff
>
> [1] Writing Secure Code, ISBN 0-7356-1722-8
> [2] Writing Secure Code for Vista, ISBN 0-7356-2393-7
> [3] Software Security: Building Security In, ISBN 0-3213-5670-5
> [4] 19 Deadly Sins of Software Security: Programming Flaws and How to
> Fix Them, ISBN 0-0722-6085-8
> [5] http://www.securityfocus.com/archive/1/506739/30/0/threaded
>
> On Mon, Sep 28, 2009 at 6:30 PM,  <ron () gmail com> wrote:
> > Moving to one of the alternative viewers (for both types) could be considered "Security by Obscurity".  That being 
> > said, I agree that it is probably still a worthwhile move.
> >
> > Adobe has the majority of the market so they are the biggest target.  Unfortunately they lately have had a poor 
> > track record for patching known vulnerabilities as you've pointed out.  Even their downloads are often out of date.  
> > After installing a download, they expect you to immediately check for updates.  Not many "normal" people would do 
> > that.
> >
> > I use PDF-XChange Viewer, you can get it here
> >
> > http://www.docu-track.com/downloads/
> >
> > I like it PDF-XChange because the markup features it has.  If markup is not an issue, then Foxit is a good choice, I 
> > used Foxit for a while.
> >
> > A possible alternative for Flash Player could also be RealPlayer, http://www.real.com/realplayer.
> >
> > [SNIP]
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------