Tech & Work

New software vulnerability: Feature bloat in Adobe apps sacrifices security

Support teams are the boots on the ground when it comes to making sure that computers stay up-to-date and secure. Our job often gets more difficult when software companies rush to put more bells and whistles in their products. Today's example? Flash has undermined Acrobat.

Support teams are the boots on the ground when it comes to making sure that computers stay up-to-date and secure. Our job often gets more difficult when software companies rush to put more bells and whistles in their products. Today's example? Flash has undermined Acrobat.

———————————————————————————————————————————————————————-

This afternoon an alert dropped in my Inbox from US-CERT. (I've written about the United States Computer Emergency Readiness Team before, here and here.) On this occasion Homeland Security's IT security team had my immediate attention. US-CERT had sent out a warning about two programs I use frequently, Flash and Acrobat. My initial reaction was to think, "Wow, Adobe's having a bad day." It was only after I read the rest of CERT's bulletin that I stopped sympathizing with Adobe and started to get annoyed with them. The company had rendered Acrobat insecure by tying it too closely to Flash.

In the past I've spoken harshly of Acrobat, but I still use it…quite frequently, as a matter of fact. There are several other competent PDF readers around, but Acrobat's robust creation engine is useful when I have to build complicated documents from disparate source materials. I use another PDF reader more often, but I have found no suitable replacement for Adobe Acrobat when it comes to doing a few specific things.

I rely on Acrobat to get work done, so I was disappointed to learn how it had been rendered insecure. (Full details and info on disabling Acrobat's Flash support can be found here.) Perhaps there is someone out there who needs to be able to embed a SWF Flash file into a PDF. I am not that person, and I'm angry that an app that's mission-critical for me carries a vulnerability because of the developer's efforts to bloat the software with additional features. I understand that the technology industry has to remain profitable, and for software companies that means releasing new versions of their applications. More often than not, those subsequent versions have new features. Gotta keep people upgrading, right? I get the economics of why Adobe decided to tie Flash into Acrobat, really I do. The thing that really burns me is that I hadn't even realized those features had been bundled into the version I am using.

The main idea that I think support pros should take away from this situation is that when it comes to software, bigger is not always better. When working with management to develop the list of apps that your team will support, consider modularity. Choosing programs that integrate well can improve productivity, but relying too much on large software suites can leave you vulnerable to underlying bugs. The smaller and more self-contained your applications are, the easier it will be to slot in a replacement, should it become necessary.

It may not be possible to avoid super-apps entirely, but I feel that my preference for using smaller programs in my workflow makes me more nimble. What about you? Do you prefer big applications that do a lot, or small programs that specialize in one thing? Is one type of software easier to support than the other? Chime in with your comments.

Editor's Picks