Adobe Reader and Acrobat once again have a JavaScript vulnerability. The following quote is from Adobe’s Product Security Incidence Response Team (PSIRT) blog dated 27 April 2009:

“All currently supported shipping versions of Adobe Reader and Acrobat (Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions) are vulnerable to this issue. Adobe plans to provide updates for all affected versions for all platforms (Windows, Macintosh and Unix) to resolve this issue. We are working on a development schedule for these updates and will post a timeline as soon as possible. We are currently not aware of any reports of exploits in the wild for this issue.”

Adobe’s attempt at a solution is to recommend disabling JavaScript until they can figure it out:

  1. Launch Acrobat or Adobe Reader
  2. Select Edit>Preferences
  3. Select the JavaScript Category
  4. Uncheck the ‘Enable Acrobat JavaScript’ option
  5. Click OK

Not good

I must admit that I’ve been a staunch supporter of Adobe products for many years. Now, I’m starting to question that loyalty as it’s affecting me personally along with what I tell my clients. It’s especially frustrating, being Adobe’s second major vulnerability in the past three months. I explained the first vulnerability in my article “Adobe Alert: Updates available for latest zero-day exploit

I even took my own advice to heart and updated my client’s workstations to Adobe Reader 9.0 as soon as I heard about the February exploit. Now, I have to go and tell them that even after updating, Adobe Reader and Acrobat are still vulnerable. That’s not going to be something my clients want to hear.

Changing course

I began a quest last week, determined to find a replacement for Adobe Reader. I had no idea there were so many free PDF readers to choose from. After reading way too many evaluations, I narrowed the myriad of choices down to three, Foxit Reader, Sumatra PDF, and PDF-XChange Viewer.

Then came testing and talking to the experts (you know, the actual users). Foxit Reader won hands down and will be what I recommend to my clients as a replacement for Adobe Reader. The application is lightweight, more responsive and the developers have a history of quickly repairing product vulnerabilities.

Acrobat is a different story

Next I started looking for an adequate replacement for Adobe Acrobat. Truth be told, I’m not  having much success. The user experts keep reminding me that my suggestions don’t have the same features inherent to Acrobat and they aren’t going to accept anything less.

One feature they prize and is absent in most other PDF creating applications is Adobe’s Combine Files wizard. It allows you to merge multiple PDF files into a single PDF document or a PDF package. I have to admit that I’d be lost without that capability myself. So now what? Let’s review what I’m facing and need to resolve:

  • Adobe Acrobat is just as vulnerable as Reader.
  • Replacing Acrobat would require an application with equivalent features.
  • Even if found, replacing something that works would be a tough sell monetarily.
  • Disabling JavaScript is not an option.

Temporary solution

I’m sure Adobe will come out with a fix, but when? History has already proven that the bad guys beat Adobe to the punch, creating zero-day exploits long before patches come out. Knowing that, along with clients wondering if I had a clue gave me enough incentive to figure out a workable solution.

I decided to install Foxit Reader on all the workstations, even those using Acrobat. Then explain to everyone that they need to use Foxit Reader for viewing PDF files, at least until Adobe rolls out the fix for the current vulnerability. Getting everyone’s blessing was easier than I thought. It just so happens that Foxit Reader opens PDF files a lot faster that either Adobe Reader or Acrobat.

Even so, I thought I’d increase the safety margin by configuring Foxit Reader to have priority when opening PDF files. That option is offered during installation, or can be changed afterwards by opening Foxit Reader, clicking on the help button, and checking “Set to Default PDF Reader”.

Final thoughts

My Acrobat fix is far from being a perfect solution. So I’m hoping Adobe will get the patches released quickly. I’m still looking for a replacement for Acrobat too. Foxit comes close, but you have to buy three independent applications Creator, Editor, and Organizer. If you have something that works, I’d appreciate hearing about it.