An Acrobat (PDF) Reader Alternative

I wrote about an Adobe zero-day exploit a while back... They've been in the security news quite a bit lately; their huge success with Acrobat as a document distribution standard and the Flash media player becoming more and more common has ironically made their products a favored target of malware creators.

I finally got fed up with how large Acrobat Adobe Reader has gotten - the version 9 installer for XP is 35.7 MB (vs. 21MB for v8, 15MB for v6, ...) - so recently I installed a free alternative called Foxit. The latest version, 3.1, has a 5MB installer that results in a 7.2MB installation. Compare this to the 206MB Acrobat Reader installation that is on my PC!!! (wtf?)

But the best news is that Foxit starts up much faster than Acrobat Reader. I view PDFs all the time, and so far I have not had any issues with this application. It does have a tiny advertisement window as shown below (The blue area in the upper right corner), but this only seems to advertise Foxit's own payware products, which seems fair given that the reader is free.


I'll also mention that Foxit is potentially a better choice than Acrobat Reader since most exploits that are targeted at Acrobat do not manifest themselves in FoxIt. However, Foxit's popularity as an Acrobat alternative has made it the target of the malware authors, but it appears that the Foxit folks take security seriously and are prompt to release updates, as discussed here.

For the moment Foxit is available for Windows, Linux, and some handheld OSs, but not the Mac.

Why you should switch to Firefox

Executive summary: If you're using Internet Explorer v7 or earlier as your web browser, you should seriously consider switching to Firefox. Even if you're using the new v8 of IE, you're still not going to have as much protection from malware as with FF and the NoScript plugin.

--

I have been using Firefox as my primary browser for several years, and generally try to avoid Internet Explorer as much as possible. (Sometimes, though, it's not possible - my previous employer only supported IE for all of its Oracle infrastructure.) IE, being the most popular browser in the world - primarily because it is essentially built-in to Microsoft Windows - has been the primary target of cybercriminals for quite a while. Also, I like the fact that Firefox's user community has developed any number of (occasionally) useful plugins for it.

One (free) Firefox plugin that I run religiously on all of my systems is NoScript. Although there's a little bit of a hassle factor involved with using it, I feel a lot more "protected" from malicious web sites with it turned on. With its default settings, it will initially block all JavaScript, Java, Flash, etc. content and require you to specifically allow that content to be downloaded and displayed. You have the option of temporarily allowing content from a specific site, or adding the site to a "white list" of sites that will always be allowed through. (It protects against several other potential exploits, such as cross-site scripting.)

What prompted me to finally write something about Firefox and NoScript (this has been on my to-do list for a while) is the zero-day Adobe exploit that I posted about earlier today. NoScript can protect you from the exploit described in that post.

Finally: At the top I mentioned IE v8, which was released recently. I was hoping that Microsoft would take some steps to improve IE's resistance to malware, and I think they've made some good progress, but I found an article that seems to indicate that IE still has a ways to go. So although I'll continue to evaluate IE v8 on my Vista install as an intellectual exercise, I'll be keeping Firefox (and NoScript) as my favored "surfboard" for the indefinite future.

Urgent: Majority of Windows systems vulerable to Flash/Acrobat zero-day exploit

Firstly - you may be hearing the term "zero day exploit" more often these days in discussions about security issues. It basically means that the exploit under discussion is already being taken advantage of by the crooks.

Anyway, here's all of the details about the Flash/Acrobat Reader weakness. What is a little different about this one is that more than a few "legitimate" web sites have become infected with malicious Flash content, and so it's quite possible to be exposed to Eeeevil Stuff even if you're not snooping around the darker corners (and tubes) of the Internet. (Flash is used everywhere these days - e.g. YouTube basically runs on it.) Also, unlike some earlier exploits, disabling Javascript in Acrobat (which you should do - it's turned on by default when Acrobat Reader is installed) does not provide protection against this malware.

What seems almost criminal about this is that Adobe has apparently known about this defect for seven months. However, the exploit that actually takes advantage of it is apparently much more recent. I guess they decided to wait until really bad stuff happened before actually fixing their software...

A Pathetic Example of a Hacker...

First: the good news - this guy is probably wearing a bright orange jumper at the moment. The bad news - the accused was a security guard at a Texas hospital, and in his idle moments, he figured out how to break into some of the hospital computers - including the system that controls the hospital's heating and air conditioning systems. It doesn't seem that killing anyone was his real goal, but it gets hot down there and if he had wanted to turn off the AC on a hot day, he could've, causing all kinds of problems for the hospital. Fortunately his ego got the better of him and he posted Youtube videos of his adventures and other clues which led to his sudden wardrobe adjustment.

The whole story is here, which has a link to his last couple posts (prior to getting arrested!) on a hacker forum that he was a member of. (The best part about that thread is where someone labeled him a Massive Chunk of Fail after he was caught - that made me cackle.)

While we're on the topic of computers and health care - did you hear about the MRI machines that were infected with the Conficker worm a while back? Of course, that only happened because the machines had an internet connection. Doh!

New "zero day" Microsoft IE exploit

This has been in the news quite a bit over the last few days, but the nature of it prompts me to briefly post about it: there is a vulnerability in Internet Explorer versions 6 and 7 that can cause your Windows XP or Server 2003 system to be "hacked" just by visiting a site that is serving up the exploit - you don't even have to click on anything. The Microsoft Security Advisory about it is a pretty technical read, so check out this link first for information that is actually readable 8^) . There is a link there that will use MS's relatively new "Fix It" technology to download a ".msi" installer file that will install a workaround. I just tried this and it is pretty easy to do!

Here is yet another example of why it might be smart to use a browser other than Internet Explorer - most casual (and some not-so-casual) Windows users have it as their default, and sometimes only browser. I have been using Firefox for several years - it's not perfect, and as it becomes more popular it's getting its own share of attention from the crooks, but it's still not as prevalent as IE by about two-thirds. Other alternatives are Opera and Google Chrome (neither of which I've used much).

If you insist in using IE, at least update to the latest version, IE 8 (read about it here). You might already have it, as MS has made it a critical update for most or all Windows versions - which I'm not sure I agree with. I suppose (and hope) that their motivation might be that it has enough significant security updates so as to make it "critical" for most IE users.

Back Up or Be Stupid - your choice

One of my hobbies is flight simulation, and persuant to that, I've been reading the Avsim flight sim community web site for well over ten years. The URL is http://www.avsim.com, but as I'm typing this at about 5PM PDT on Friday, the site is dead and gone.

It's gained that unenviable status because some, uh, (gotta watch my language here) nefarious, lowlife, twisted, gin'd up, lilly-livered, one-eyed son of a prarie dog (a.k.a. hacker) managed to bring down not one but both of their servers. The problem is that apparently the administrators of that site were using these systems to back each other up, and the hacker deleted the main partitions on the hard drives of both. I don't want to opine whether or not their backup "strategy" was a dumb one - although more than a few Avsim subscribers have already done so (and I do question why they didn't have an off-site master backup somewhere) - but it brings home in a dramatic and tragic way that we all really need to back up our important data. You know that, I know that, we all know that, but the fact is that probably every minute of the day someone somewhere loses data that is precious and irreplaceable, yet gone forever.

Now, my own backup strategy is fairly lame - periodically, I back up my most important data on this (home office) system to a USB memory stick, and less periodically I duplicate that stick's contents to another one, and keep that second stick "somewhere else" (e.g. in my car) just in case the house burns down. However - and it's really embarrassing to admit this - but at this moment all of my memory sticks are in the house "somewhere" (I think I know where they all are). So if this great old house that we live in (that still has some knob-and-tube wiring) burns up, I'm S.O.L. I guess I know what I'll be doing tomorrow...

So maybe I'm writing this as much to myself as to you, but at any rate, here's yet another reminder to make a copy of your really important Data Stuff.

Here's an idea: go to your favorite big-box warehouse - e.g. Costco - and buy one of those 2-packs of 4GB SanDisk (or whatever) USB flash drives. Back up everything that you care about onto one (assuming it will all fit), and then do a direct copy of everything on that drive to the other one. Keep the second one at your office, in your glovebox, whatever - just somewhere else than the first one. Voila! with that $40-ish investment and a little time, you'll probably be better off than you are right now.

Another idea, which I have not yet tried but sounds like a hella good deal, is to use a web-based backup service. One that I'm aware of, Carbonite.com, backs up as much data as you can throw at it (from a single hard drive, anyway) for about $5 a month, and via a background process keeps the backed up data "sync'd" with any changes you make on your computer. There are at least a few other, similar companies - just google "remote backup" for more information.

To Update or Not To Update?

Early on in this blog, I encouraged you to keep Microsoft Windows updated with whatever Critical Updates that Microsoft pushes out. (BTW these are typically pushed on Patch Tuesday, unless something really serious comes up that Microsoft deems worthy of immediate attention. If you've got Automatic Notification turned on for Windows Updates - which you should - it's practically a sure thing that you'll get a popup on every single Patch Tuesday that there's new stuff to go get.)

However, for many years I took the attitude with my systems' applications that "if it ain't broke, don't fix it". As a for-instance: until fairly recently I had been loathe to update Adobe Acrobat Reader to a newer version, because all that newer Acrobat versions have seemed to do is get way bigger and more unstable, so I was running version 5 until only a couple months ago on one of my PCs (the current version is 9.1).

I really wish I could continue with that mindset, but unfortunately (if your system is connected to the internet, anyway) it just really isn't advisable anymore. New exploits (cracks in the armor) are being found at a dizzying rate for practically any popular application that in any way interacts with your network/the internet.

However, keeping everything updated on a rigorous basis can be a serious pain in the okole, as I realized only yesterday. In general I am not a big Apple Quicktime player fan, but because iTunes installs it automatically (and because some media on the web is in ".mov" QT format), it's on all of my systems. On some of those systems, I have iTune's automatic update notification turned off because I don't run iTunes on them on a regular basis - and so the QT format on at least one of them is fairly old. That's a bad thing, because according to the QT wikipedia entry, all versions prior to v7.5.5 have a cross-site scripting vulnerability. I won't go into CSS here, but the point is that I have potentially opened myself up to Bad Stuff that I might inadvertently encounter just by clicking the "play" button on a video at some site that I'm not terribly familiar with.

It's unfortunate that we've come to this point, because Acrobat is not the only application by a long shot that seems to get bloated with every new release - in many cases, with things that we don't care about, but that the creators stick in there just to keep it New And Fresh.

I thought about making a list of applications that you should consider keeping an eye on, but I've decided that it would be very long but yet ultimately incomplete. So just be mindful of the applications you use in your web journeys, not forgetting things like Quicktime (and Acrobat) that you might never run directly, but that are auto-run by your browser when you click on something neat.