Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Adobe Alternatives

From: Jeffrey Walton <noloader () gmail com>
Date: Tue, 29 Sep 2009 10:53:23 -0400
Hi Ron,


Moving to one of the alternative viewers ... could be
considered "Security by Obscurity".

How so?

I'm concerned about the basic CompSci 101 stuff such as validating
parameters. From my observations, I don't believe the company
practices 'the basics' or dutifully follows techniques laid out by
folks such as Howard and LeBlanc [1,2], or McGraw [3], or Viega (et
al) [4]. In the titles below, 'Security' does not refer to using AES,
Camellia, SHA, or Whirlpool.

It was not lost on me that Adobe was nailed with another overflow
today (post dated 9/26) [5]. Yet another CompSci 101 failure.

Jeff

[1] Writing Secure Code, ISBN 0-7356-1722-8
[2] Writing Secure Code for Vista, ISBN 0-7356-2393-7
[3] Software Security: Building Security In, ISBN 0-3213-5670-5
[4] 19 Deadly Sins of Software Security: Programming Flaws and How to
Fix Them, ISBN 0-0722-6085-8
[5] http://www.securityfocus.com/archive/1/506739/30/0/threaded

On Mon, Sep 28, 2009 at 6:30 PM,  <ron () gmail com> wrote:

Moving to one of the alternative viewers (for both types) could be considered "Security by Obscurity".  That being 
said, I agree that it is probably still a worthwhile move.

Adobe has the majority of the market so they are the biggest target.  Unfortunately they lately have had a poor track 
record for patching known vulnerabilities as you've pointed out.  Even their downloads are often out of date.  After 
installing a download, they expect you to immediately check for updates.  Not many "normal" people would do that.

I use PDF-XChange Viewer, you can get it here

http://www.docu-track.com/downloads/

I like it PDF-XChange because the markup features it has.  If markup is not an issue, then Foxit is a good choice, I 
used Foxit for a while.

A possible alternative for Flash Player could also be RealPlayer, http://www.real.com/realplayer.

[SNIP]


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: