Adobe Reader X Quick Review

I originally wrote this article for HijinksInc.com
_________________________________________________
Background
Last week Adobe released a new version of Adobe Acrobat, version X.  This is a new version of the program that many of us use every day.  In the past people shied away from new versions of Acrobat reader because over the years the program had become bloated and slow.  However this new version offers important security benefits and speed improvements that make the upgrade worth it.

As many people know Adobe Reader has become one of the favorite attack vectors for hackers and malware over the past few years for a number of reasons including.

  1. The install base is huge! Most new PC’s come with it preinstalled, if not almost everyone needs a PDF viewer and Adobe’s is the most popular.
  2. Quarterly updates that Adobe releases are too slow and infrequent, Only if an exploit is really bad does Adobe decided to do an out of cycle update.  Even with these updates few people know that the program needs updated.  The automatic updates in version 9 have been better but still seem to fail most of the time.  Manual updating seems to be required.
  3. The ability to run things such as Javascript in a PDF exist and are on by default.  Just about everyone does not need this feature and it represents a large place to exploit.
The Good
Security
The biggest feature of version X is the introduction of a Sandbox.  A sandbox provides isolation  of the program from the operating system, to lessen the chance of security exploits.  Adobe does a great job in explaining all about the sandbox features in these two blog posts, Sandbox Post 1,  Sandbox Post 2, Sandbox Post 3, Sandbox Post 4.  This is such a big thing from a security angle that the SANS institute has recommended that everyone install Adobe Reader X to get this feature.  https://isc.sans.edu/diary.html?storyid=9976

Speed
Surprisingly this new version is faster than the old version 9.  It appears to be less bloated and quicker responding.

Other changes
I noticed the voice that will read text to you if you want seems to be more like a human.  The flow is greatly improved. The interface has been tweaked slightly to have more of a beveled edge, silver stainless steel look.  I like it.  Its nothing revolutionary but a nice, clean change.  The updater also now allows for you to set it to automatically download and install updates.  Hopefully this works well and allows the program to stay up to date without much user intervention.   I do hope Adobe changes their company policy and moves to a monthly update policy on the second Tuesday of the month, like Microsoft.  This will make the task of corporate administration much easier on the administrator.

The Bad
By default two security settings are on, when they should be disabled for increased security.  They pertain to features that a very, very small percentage of users actually use.  If for some reason you needed these someday you can easily turn them on, but for maximum security they should be off.  Adobe has even recommended doing this when the program has had problems in the past.
So to disable these settings go under EDIT—> Preferences —-> Then on the Left hand side choose JavaScript and then at the top of the page, uncheck the box that says “Enable Acrobat JavaScript

The second option that needs changed is under this same menu.  Choose Trust Manager on the left hand side of the page, then at the top of the page uncheck the box that says “Allow Opening of non-PDF file attachments with external applications”

The other bad thing is that despite these new security features the very people you are trying to keep out are trying to take advantage of this new release to push their spamware most of it dubbed “Adobe Acrobat 2010” THIS IS FAKE and Malware, DO NOT INSTALL.  The SANS institute has a nice post about this as well, even with photos! https://isc.sans.edu/diary.html?storyid=9982

In conclusion when combined with the new security features and increased performance this seems like a great thing to have if you like the official client.  Here is a direct download for Windows ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/10.0.0/en_US/AdbeRdr1000_en_US.exe

HijinksInc – Secunia PSI The security tool every Windows user should be running.

Originially published at Hijinks Inc on September 1, 2010
____________________________________________________________
Lets be honest, Windows security is not the easiest thing to manage. On top of the Microsoft products, there exist the 3rd party programs that tend to be forgotten about. Microsoft has made great progress with the security of Windows in its most recent releases of Windows 7 and Office 2010, but that’s only part of the solution. The Microsoft update website and built in Microsoft update utility in Windows Vista and Windows 7 have helped a great deal with keeping Microsoft products up to date, but these are far from all of the programs that most people run. Persons crafting malicious code such as viruses, malware, etc know this and are targeting other programs too. These 3rd party programs do not have a common updater and each must be updated on its own, for example, programs like Adobe Flash Player, Adobe Acrobat, Java, and Firefox, just to name a few. It is a lot for the average user to do, especially considering there is no general update policy (IE, Patch Tuesday) with most vendors, and announcements about updates are quiet.

Enter Secunia PSI. This is a free (for personal use) program put out by the Secunia company. They specialize in finding exploits and providing monitoring software. PSI (Personal Security Inspector) is a tool that scans the programs on your hard drive and then does version checks against its vast list of known exploits. It then notifies you of older versions and tells you where you need to go to fix them. The program is great for finding those programs you rarely use and forget about when updating.

The program is smart. For Microsoft websites it knows to open them in Internet Explorer so the download tools will work. It also allows you to rescan specific programs after you update them instead of spending time to rescan your entire drive. It also offers the ability to ignore a specific program if for instance you need the older version for a custom tool to work. It will run in the background and notify you when new updates are available or new known exploits exist. It also offers an advanced mode which offers more features and details. In advanced mode PSI will tell you about products you have installed that are no longer supported by their vendors and any known exploits that exist in them.

Secunia also offers a product called OSI (Online Security Inspector) which is a great tool as well. It is similar to PSI but does not require you to install anything. However, it does require Java to run in the browser. While not as thorough as PSI, it’s similar in operation and usage.

In conclusion, this is a great tool that is very thorough and easy enough to use that every user should have this in their tool box and run it as part of a biweekly security audit. It really helps to inform users of out of date software that could leave their computer vulnerable. While PSI is targeted for personal use, they offer a corporate version that is a paid version. Its functionality is similar but it also offers many more features.

____________________________________________

Update #1

Since this article was originally posted Secunia has come out with a new version of its PSI security tool that is currently in beta. It is called Secunia PSI 2.0. You can grab a copy for free here. The big feature that this adds is the ability to install updates silently and automatically if you choose. I think this could be a great feature especially for people who don’t want to deal with always having to update their computers.