New version of Adobe Acrobat Reader has X appeal

Vulnerabilties in Adobe Acrobat Reader are a common attack point for malware and various exploits. According to the Adobe Acrobat blog, the latest version, Reader X, boasts a significant security enhancement as well as a long list of improvements for Android users.

A new "Protected Mode" in Reader is enabled by default and designed make viewing PDF files less risky by isolating Reader write calls, thus restricting the app’s ability to make changes to the Windows file system and registry. Further reading on this protected mode can be found on Adobe’s security blog.

In addition to enhanced security, Reader X incorporates support for various multimedia elements, including videos. The Android version offers a bevy of improvements, such as "support for Tablets, go to page, search, opening Portfolios and password protected PDF files, and sharing PDF files via email."

Now is a good time for Adobe to start paying more attention to security, as Google recently integrated a lightweight PDF viewer into its Chrome browser. While the real test for Adobe will be addressing inevitable security holes when they do appear, better security right out of the box is a step in the right direction.

Comments closed
    • Bauxite
    • 9 years ago

    This only applies to javascript exploits, all the other ones people come up with will have no problem since they are outside the “sandbox”.

    Given their design history (“security? whats that?”) I have little to no faith in their ability to get a sandbox right anytime soon. It probably just means a short delay until the next wave of 0days, then a longer delay for some patches.

    The last ~3 years of adobe has been nuts. They are not just pie in the sky theoretical exploits, but stuff used everywhere, every day.

    PDF == EXE, Watch out for those CVEs!
    (yes, it rhymes)

      • BlackStar
      • 9 years ago

      In fact, Adobe Reader recently surpassed MS Office as the most common attack vector. The fact that Adobe’s security record is atrocious doesn’t help, either…

        • Bauxite
        • 9 years ago

        Late 2008 was recently? 🙂

    • BlackStar
    • 9 years ago

    [deleted]

    • Shining Arcanine
    • 9 years ago

    Am I the only person who thought that Adobe was bringing graphics acceleration to UNIX-like systems when I read the article title about the new version having X appeal from my RSS reader?

    • djgandy
    • 9 years ago

    This is Reader 10 by the way. Not a special fork of reader, that you can use instead of 9.

    • Disco
    • 9 years ago

    When is this version supposed to be available? Acrobat 9 is not officially compatible with Office 2010 and I’ve had some major issues with my Acrobat 8 and Win7. So far, I’ve been able to get by with the Office 2010 ‘save as PDF’ option (which works surprisingly well) but I do need more control of my pdf creation and editing over the longer term.

    • LiamC
    • 9 years ago

    Uninstall Adobe reader.

    Install Foxit. §[< http://www.foxitsoftware.com/<]§

    • sweatshopking
    • 9 years ago

    I like computers!

    • mockingbird
    • 9 years ago

    Here’s how to make Adobe Acrobat more secure:

    First of all use no version later than 6.0.6.1 from 1/8/2007. Recent enough, no? I can’t imagine the “advances” in Acrobat technology that would warrant the later bloated versions.

    Next, disable the MIME in Internet Exploder, and disable the Acrobat Plugin in Firefox. This way, when you click on a PDF, it will save it to your harddisk, rather than load it through the browser.

    It’s not the reader that has these vulnerabilities, it’s the MIME.

    • bthylafh
    • 9 years ago

    I give this one three weeks before a vulnerability is discovered, and another week or two before it’s patched.

      • ManAtVista
      • 9 years ago

      This update wasn’t designed to eliminate vulnerabilities, a practically impossible task in any complex code base, it was designed to greatly limit their impact. Now the vulnerabilities that will show up won’t allow malware to install on the PC and autorun at boot up, nor allow them to corrupt the user files. Making the point of making the exploit in the first place, mostly moot. Windows Vista and 7 users can use tools like chml.exe [http://www.minasi.com/apps/ ] to make their data unreadable as well as the default unwriteable to sandboxed/protected mode applications.

        • indeego
        • 9 years ago

        And both Vista, 7, and Chrome have all had system-level vulns within their respectively protected sandboxes. In the case of Chrome, they have been rather frequent (and also very quickly patched, to credit them.)

        I think what has saved 7 and Chrome from mass press are the difficulty in exploiting these holes.

        I have zero to little confidence Adobe has fixed their application without introducing new vectors of attackg{<.<}g

          • ManAtVista
          • 9 years ago

          Of course a vuln. in the sandbox is possible, but it’s a much smaller attack surface than a huge application like IE and Reader would have by themselves, has probably many fewer vulnerabilities and they are likely found and repaired easier. Hell, even your hardware firewall could have a vuln. in it, and many probably do, but it’s much better than not having a firewall. Also, now you need *two* vulnerabilities to infect the system, one to get through the sandbox/firewall and one to corrupt Adobe/IE (or the network applications in an OS in the case of a firewall). This increases the work a malware author has to do by a lot, and shortens the window on the usability of any new 0-days by a lot. All around this is a great security feature, although no, not 100% bullet proof forever or anything.

Pin It on Pinterest

Share This