28 comments

[ 3.9 ms ] story [ 76.0 ms ] thread
A lot of people prefer to receiving PDFs because they are safer than MS Office documents. Maybe not eh?
PDF's are not inherently insecure. It's just that Adobe Reader is crap (and any sane person would have switched to a better option a long time ago).
Can you list one of those options?
Foxit Reader if you are on Windows, Preview if you're on a Mac, evince if you're on Linux.

I personally do not use Adobe Reader on any platform. I found the alternatives to be both leaner and not lacking any relevant features.

Lately Foxit has been feeling even slower and more bloated than the current Adobe Reader, at least on my setup. I'm pretty happy with SumatraPDF, although it is not terribly featureful so I have Adobe Reader installed as well.
I went back to Adobe after finding Foxit failed to lay out some PDFs correctly (legibly).
sumatra PDF is also a better option
I also use SumatraPDF and find it excellent.
I tried it yesterday, and I was horribly disappointed. Printing a 13 page document took so long (>30s) that I kept killed the process, thinking it had hung. Acrobat 5.something ripped and spooled the same document in maybe a second.
I don't use Reader, as far as I can... unfortunately, some PDF features are not well supported by other clients - for example, comments/mark-up doesn't seem to show up in Preview, usually.

Is there a properly full-featured PDF viewer for Mac that isn't from Adobe?

There are a bunch of alternative PDF readers, I don't know if they are all full featured but I have never run into something that didn't work for me in Sumatra PDF or Foxit Reader. Lifehacker did a roundup a while ago of PDF reader alternatives: http://lifehacker.com/5328211/five-best-pdf-readers
Well is that really true? They've bundled loads of features into the format, the other readers might be safer but only because they don't support those features and they will try to add them at some point. Also PDF is based on postscript which is programming language. It's sufficiently complex that's is never going to be very secure, and after all the main problem with Office documents was Macros.
I don't know a lot of people who would put money on Office being safer than PDF, but I concede that it's surprising that the PDF format could even be a contender in this race.
Half of my day job is supporting about 40 users in our companies New York office. The last 4 infections that I've been able to look into involved adobe reader in one form or another. I've only seen one malicious pdf file, most of the time it's JavaScript that loads reader and delivers a payload. I haven't quite figured out that part yet, and frankly I don't care enough. I'm satisfied knowing the cause.

I keep reader up to date but often these exploits hit either right after an update as been released so the patch hasn't been applied, or there just isn't a patch yet. It's almost enough to make me switch to foxit. I just have to do the research to see if it supports the advanced features (forms, digital signatures, encrypted files) that people are using.

Because who could have predicted allowing Javascript in a document format was a bad idea.
Imagine what would happen if Firefox rendered PDFs natively.
I'm sure I read that Chrome was adding this feature. I heard about it just after the Google-China hacking thing which was apparently partly due to Adobe Reader.
It wasn't. iDefense retracted that part of their report.
That's one class of Reader flaws, but it's not the reason Reader is such a target.
Right, the real reason Reader is a target is because of its ubiquity (especially in the enterprise). The reason why I mentioned Javascript is because I think it highlights Adobe's mindset perfectly. They refuse to design simple and narrowly focused software.
Every time someone makes a comment like "X is too complex", I both agree and immediately think back to:

http://www.jwz.org/doc/easter-eggs.html

Adobe is giving the market what it wants. It may be part of the current zeitgeist that software developers have a paternal responsibility to defer functionality in favor of security and reliability, but that notion --- if it exists in reality anywhere --- is extremely recent.

Reader got complicated long before any major software vendor got religion about security.

I think you capture the issue perfectly. The things you value determine your opinion of software. From where I stand, I value good design (reliability and security are natural side effects). I find the aesthetics of well designed software beautiful.

On the other hand, if I had deadlines and a decade of backward-compatibility to worry about I might have different values. I don't mean to be the highbrow/ivory tower security dude, I'm just speaking to what I value.

I Still never understood why Adobe thinks reader has to do so much. It just has to show a paper. If they would have stuck with that all would have been fine. But they will always be Adobe..
Corporate stuff! They want Reader to be ubiquitous so that the competition can't get in.

Reader doesn't just have to show a paper in an office. It could have a form. It could have a CAD drawing. It could do all sorts of magic that a business can come to rely on.

Imagine how much simpler it is to send a PDF to a client to sign and "submit" as opposed to managing faxes.

Then they should put out a reader lite. which would only allow basic functions. Since most of the non corporate world use nothing but these.
That would be admitting there is something wrong with their program, and it would increase the risk of people not being able to read the format. You would end up with two different PDF 'standards' and it wouldn't help anything.
PDF is an extremely complex standard. Libraries like Prawn are deceptive; generating one class of full-featured PDF documents is an easier task than reading all possible classes of PDF documents.

It's also an ISO standard, so there aren't a lot of degrees of architectural freedom in simplifying and hardening it. Remember that much of PDF predates "modern" vulnerability research.

Bear in mind that the primary reason Reader is the "world's most exploited app" (it probably isn't, but it's one of them) is that it's ubiquitous. It's one of a small group of apps where a break can hand you tens of millions of machines.

Very few apps (I actually can't name one) with that market footprint fare better than Reader is now. Microsoft has poured supernatural amounts of money into Internet Explorer, and they're still getting in the paper over IE zero day.