Re: Adobe Alternatives

[Jason Troy <jason.troy () gmail com>]

I do agree with Stephen - just because you don't hear about issues
does not mean its an acceptable solution.
Go back to your model and determine what you are trying to solve and
what risk you are willing to accept.

I love how the thread got quiet right before they announced this:

APSB09-15 - Security Updates available for Adobe Reader and
Acrobat "... vulnerabilities could cause the application to crash and
could potentially allow an attacker to take control of the
affected system. This update represents the second quarterly
security update for Adobe Reader and Acrobat."

http://www.adobe.com/support/security/bulletins/apsb09-15.html

Vulnerability identifier: APSB09-15
CVE number: CVE-2007-0048, CVE-2007-0045, CVE-2009-2564,
CVE-2009-2979, CVE-2009-2980, CVE-2009-2981, CVE-2009-2982,
CVE-2009-2983, CVE-2009-2984, CVE-2009-2985, CVE-2009-2986,
CVE-2009-2987, CVE-2009-2988, CVE-2009-2989, CVE-2009-2990,
CVE-2009-2991, CVE-2009-2992, CVE-2009-2993, CVE-2009-2994,
CVE-2009-2995, CVE-2009-2996, CVE-2009-2997, CVE-2009-2998,
CVE-2009-3431, CVE-2009-3458, CVE-2009-3459, CVE-2009-3460,
CVE-2009-3461, CVE-2009-3462

-- JT



On Sun, Oct 11, 2009 at 09:30, Stephen Mullins wrote:
> How much trouble would it be to bundle a Foxit exploit in a .pdf file
> containing an Acrobat/Reader exploit?  Adobe easily maintains over 95%
> of the .pdf reader market, so obviously it would be both a waste of
> time and resources to develop exploits for alternative readers and
> then actively try to utilize them.  On the other hand, if the bad guys
> aren't paying much attention, neither is anybody else.  That means an
> alternative .pdf file viewer could have an active exploit floating
> around for a very long time before it was detected (IF it is detected,
> virtually all professional organizations use Adobe and a home user
> would experience the secondary payload and not know how it got there
> so nothing would be reported).
>
> I don't have a lot of faith that some obscure freeware program is
> necessarily more secure.  It might make you feel more secure because
> you don't hear about exploits being released every other week like you
> do with Acrobat, but in reality you may be worse off.
>
> You're hoping that nobody bothers to develop exploits for the
> alternative program, and hoping that even if they do, you won't run
> into their payload delivery method because most of the malicious .pdf
> documents are targeting Adobe.
>
> So which is better?  Fully patched Adobe Acrobat/Reader with dozens
> (hundreds? thousands?) of "researchers" of every stripe pounding away
> at it day and night to discover vulnerabilities, or an obscure third
> party program that *almost* nobody bothers to look at?
>
> In the one case you're secure until the next Adobe exploit, and in the
> other case you're just playing percentages and hoping for the best.
>
> Just throwing some thoughts on the matter out there.
>
> Steve Mullins

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------