IT Employment

New software vulnerability: Feature bloat in Adobe apps sacrifices security

Support teams are the boots on the ground when it comes to making sure that computers stay up-to-date and secure. Our job often gets more difficult when software companies rush to put more bells and whistles in their products. Today's example? Flash has undermined Acrobat.

Support teams are the boots on the ground when it comes to making sure that computers stay up-to-date and secure. Our job often gets more difficult when software companies rush to put more bells and whistles in their products. Today's example? Flash has undermined Acrobat.

---------------------------------------------------------------------------------------------------------------

This afternoon an alert dropped in my Inbox from US-CERT. (I’ve written about the United States Computer Emergency Readiness Team before, here and here.) On this occasion Homeland Security’s IT security team had my immediate attention. US-CERT had sent out a warning about two programs I use frequently, Flash and Acrobat. My initial reaction was to think, “Wow, Adobe’s having a bad day.” It was only after I read the rest of CERT’s bulletin that I stopped sympathizing with Adobe and started to get annoyed with them. The company had rendered Acrobat insecure by tying it too closely to Flash.

In the past I’ve spoken harshly of Acrobat, but I still use it…quite frequently, as a matter of fact. There are several other competent PDF readers around, but Acrobat’s robust creation engine is useful when I have to build complicated documents from disparate source materials. I use another PDF reader more often, but I have found no suitable replacement for Adobe Acrobat when it comes to doing a few specific things.

I rely on Acrobat to get work done, so I was disappointed to learn how it had been rendered insecure. (Full details and info on disabling Acrobat's Flash support can be found here.) Perhaps there is someone out there who needs to be able to embed a SWF Flash file into a PDF. I am not that person, and I’m angry that an app that’s mission-critical for me carries a vulnerability because of the developer's efforts to bloat the software with additional features. I understand that the technology industry has to remain profitable, and for software companies that means releasing new versions of their applications. More often than not, those subsequent versions have new features. Gotta keep people upgrading, right? I get the economics of why Adobe decided to tie Flash into Acrobat, really I do. The thing that really burns me is that I hadn’t even realized those features had been bundled into the version I am using.

The main idea that I think support pros should take away from this situation is that when it comes to software, bigger is not always better. When working with management to develop the list of apps that your team will support, consider modularity. Choosing programs that integrate well can improve productivity, but relying too much on large software suites can leave you vulnerable to underlying bugs. The smaller and more self-contained your applications are, the easier it will be to slot in a replacement, should it become necessary.

It may not be possible to avoid super-apps entirely, but I feel that my preference for using smaller programs in my workflow makes me more nimble. What about you? Do you prefer big applications that do a lot, or small programs that specialize in one thing? Is one type of software easier to support than the other? Chime in with your comments.

31 comments
switchfoot
switchfoot

Our office uses Bluebeam in place of Acrobat in every instance. Most of our employees have migrated from Acrobat to Bluebeam, and found it easier to use. It also costs substantially less per seat.

registration999
registration999

Features: 1) Smaller than Acrobat (less than 20MB disk space). 2) Executable has switches, which make it easy to roll out to users via a script. 3) Preferences can be pre-defined on 1 computer... exported to server... then imported by all computers at logon time via a script. 4) Ability to annotate PDF's. 5) If a PDF cannot be viewed in the reader (has only happened once)... and you have any version of acrobat on the computer... (we have version 5)... then an acrobat button appears in the lower right hand corner... clicking this will display the PDF in acrobat. 6) Opens PDF's in a new Tab.

art
art

It's great to reuse libraries and only install the features I need. It is also great to know that there are many eyes looking at the code, keeping the development team honest.

justin_m_thomas
justin_m_thomas

In regard to why they included the feature, I think you answered the question with "I understand that the technology industry has to remain profitable" SWF are used in display ads and can make money for the author of the PDF.

noorman
noorman

I 'm using Foxit Reader for a long while now; works great and fast. Good enough for me ! With automatic upgrades too; just had one.

steamnut
steamnut

All I usually want is to read pdf's and the Adobe reader used to small, fast and no fuss to use. Now I have to fight off massive upgrades and upgrade/no/defer dialogue boxes and even a Windows Adobe start-up task. Adobe is not yet as bad as Apple with it's Quicktime upgrades and Sun with it's Java upgrades; all trying to sneak in a Yahoo toolbar to my browser. Apple at least have stopped trying to sneak in ITunes and Safari installs. Acrobat 6 was 15MB and 8.12 is now 22MB. The original was < 5MB. Software vendors just assume bandwidth and memory are cheap so why optimise for size any more?

dogknees
dogknees

While I sympathize with general thrust of the article... "The thing that really burns me is that I hadn?t even realized those features had been bundled into the version I am using." That's no ones fault but yours. It's up to us all to learn what the apps we use are capable of, and how to operate them safely and effectively. Particularly as IT Professionals. Average users, maybe I'd accept might need training in the more elaborate processes and functions of an application. Some of them, not all. Regarding the preference for small apps, I kind of agree, and kind of don't. For simple tasks it makes sense, but for a lot of application domains, it doesn't. Try breaking something like AutoCAD into small chunks that make sense. There's so much underlying code that would need to be duplicated in each mini-app that they'd be almost as large and complex as the full system. Also the moment you need one function that's not in the min-app, you need to manage extra applications. For most people I think this would be more confusing than one app that covers the domain. Personally, I have no problem with bundling everything into a big application. I don't find it significantly harder to learn or support them. After all 20 menus is not more complex or difficult than 2. You learn them one at a time anyway, there are just more of them. Really, the issue isn't that more functionality is bundled together, it's that the vendor doesn't do sufficient testing of the final combination. This applies to most large Vendors. Ultimately, they chose to include the functions so they have the responsibility to ensure they're correct. It's about time the big vendors started using automated verification of the correctness of their code. The theory behind this is now fairly mature, so why aren't they using it? The cost divided over the number of units sold would be minimal.

jmgarvin
jmgarvin

It's impossible to take it seriously anymore. I'm surprised Adobe is still around with the crap they are selling. It's only a matter of time before people drop Adobe products and move onto products that aren't bloaty, have ridiculous licensing, and aren't as vulnerable.

williamjones
williamjones

Adobe's Flash carries a pretty serious vulnerability, and any machine installed with the most recent version of Flash Player or Acrobat is susceptible to attack. What do you do when you hear about a case like this? Do vulnerability reports affect what software you use or support? Or are insecure applications just par for the course?

JCitizen
JCitizen

if you really want protection. The malware will simply look for Adobe reader and execute it. WOW! Absolutely NO advisories at Secunia for this product. Excellent choice registration999!! I hope PDF X-Change View works for x64 system!

Joanne Lowery
Joanne Lowery

For previous versions of the Acrobat reader it was possible to prevent the loading of unnecessary DLLs by useing a switch at launch. Does the latest reader still allow this, and does anyone know what the switches are?

APitchford
APitchford

I installed the latest update of ITunes last week, and Safari and Mobile Me were both checked off by default. Thanks, Apple - I don't even have an iPhone!

no1kilo
no1kilo

I think many of you are just plain missing the boat on this. It's not about a single application with many features it's about 1 program installing two. Adobe Acrobat and Flash are two separate programs linked together. It is this idea that irks me. I install one program and am not given the option to select what I want intalled. The program I have issue with is the Nero Burning program. I wasn't aware that Nero would also install a file indexer program and that file indexer would prevent my system from shutting down because nmiindexer.exe stopped responding. Bloat is when a developer thinks a 3rd party addon is going to make sense or make life easier for the end user when in fact it only complicate matters. When you can't uninstall the one without affecting the other, it's just plain madness.

dogknees
dogknees

What about those of us that use 90% or more of the functionality of Photoshop on a regular basis. You're happy for us to lose this ability? Why would I assume I know what others might use. It's arrogant and impossible.

MelvinJames18
MelvinJames18

I'll think about it before I'm going to open a Adobe's Flash. >.

ginmemphis
ginmemphis

I don't appreciate hidden bundled software, and seems to me that Adobe has gotten out of hand. You can't even uninstall Reader without tracking down a special program on their site. Personally, I want to know what's being installed, how much space it's taking up, and only use what I need. Professionally, I administer a small system with "average" users who don't know Flash from mash. For most people a computer is like a car; they need to drive it, not update security patches on demand.

a.barry
a.barry

I don't know why Adobe chose to allow imbedded Flash in a format designed to represent a printed (non-interactive) document, but it might put an end to PDF being a "safe" document format. Hopefully people won't imbed flash in a PDF, so the other vendors don't feel they have to play catch-up.

JohnMcGrew
JohnMcGrew

...a developer gets more obsessed with grafting more and more features into a system with a greater priority given to time-to-market than quality or efficiency to the end user. A prime example of Adobe's bloat factor is that they feel the need to pre-load Acrobat at boot time so that the user doesn't have to wait 30 seconds for it to load when it's actually needed. They figure most people won't notice the extra seconds their boot up takes compared to the annoyance they'd feel staring at a splash screen it if had to load on-demand.

Tony Hopkinson
Tony Hopkinson

Jst view a pdf file in your browser and look at the names and number of the dlls it loads.

TomMerritt
TomMerritt

I've seen CutePDF and FoxIT-3 mentioned in several other posts here. That's what I use and recommend to my customers. CutePDF is a fantastic PDF creator. It simply installs as a printer. If you can assemble something and print it, you've got a PDF. As far as viewing PDFs, FoxIT 3 is very nice. I've dropped this combo on several dozen customers without a complaint. Funny, I was just working with a customer yesterday. She had a problem, and was way behind on updates, so I decided to kick them all off before proceding. I made the mistake of allowing Acrobat 8-3 to kick off. It took something like 15 minutes, then wanted a reboot! Folks, this is a dang PDF reader, not an accounting system! Admitedly, my cheapo customer has a crap machine, but this is raging insanity. Didn't I see somewhere else on TechRepublic that Adobe was rated the #1 annoying and intrusive software? That's amazing. Microsoft and Symantec are pretty hard to beat in that category.

switchfoot
switchfoot

It's biggest drawback is that it only works on Windows. So, not a good solution for Mac or Linux users.

Gerbilferrit
Gerbilferrit

PDF reader: foxit reader - excellent lightweight pdf reader with tabbed functionality - no need to open multiple reader apps to have multiple docs open PDF creator: loads out there, many act as simple printer emulators; foxit have one, cutepdf, pdfill PDF manipulation software: cutepdf pro, foxit pdf writer, pdfill pdf editor PDF indexing for sharepoint: foxit again, 4 times faster than adobe's efforts at indexing pdfs, though admittedly not free for servers, free for indexing and integrating in to desktop search engines though Photoshop: well, you can't beat photoshop for hardcore image editing, some good free alternatives though iof your bods aint so hardcore; paint.net gimp you don't have to rely on adobe, there are many cheap, or free lightweight alternatives out there to adobes behemoth apps for general office use.

Neon Samurai
Neon Samurai

There are some functions that other programs don't provide so it it's one of those then your stuck with Adobe. If you need a PDF writer, CutePDF works well for windows. You don't get clickable hyperlinks and it also doesn't work well for huge files. Outside of those two limitations, it works very well for a Windows solution. In terms of the file format, PDF is very handy but I wouldn't be apposed to using a different static print ready format with a "writer" printer driver and light viewers. This is probably more the case being that the issue is allowing dynamic content embedded within static PDF. And badly done dynamic content also being that it's Flash media format. Outside of PDF formats, there are replacements for Adobe's other software unless your in that 10% of professionals that required the more industrial functions. In this case, it would take time for some of the competing products to catch up but I can see GIMP and GIMPshop improving pretty quick with those new user needs. Blender has evolved drastically through the very same effect of professionals using it and requesting changes.

Tony Hopkinson
Tony Hopkinson

We don't use it to produce the PDfs in our applications, but that's because it doesn't integrate very well. We don't do Flash, and graphics manipulation we use GIMP. Marketing use it for their stuff, as do our Technical writers.

jmgarvin
jmgarvin

I never assumed anything, I stated a fact. Adobe is crapware. They have security issue constantly and are bloating out their products to the point where they are unusable.

Tony Hopkinson
Tony Hopkinson

Are you happy with your level of dependency on insecure bloated flakey garbage? You shouldn't be after all it's not the first vulnerability they've had discovered, and given waht I can see of their approach, won't be the last either.

Neon Samurai
Neon Samurai

They've said the patch is ready by July 30th.. my stopwatch is ticking. The problem with PDF is that the format itself is rather handy but only Adobe converters can really produce that fine looking file. CutePDF comes closest for me but it still lacks some features of the format. If they can address the vulnerabilities in a timely manner then that's something at least. Seven days is far better than Flash Player 10 64bit's year or more delay outside of Windows and osX. The Linux native 64bit beta seems to work ok; it's about time I checked back to see if a production release of it is available yet.