Adobe Reader X With Sandbox Due In November

Trailrunner7 writes "Adobe will finally release the new version of its Reader software — which will include the much-anticipated Protected Mode security feature — next month. Adobe Reader X will include a number of other new features in addition to the sandbox feature. Adobe officials have been discussing Protected Mode for several months now and said early on that it would be included in the next version of Reader, but had never set a time line for the release of Reader X. Now, the company says the new version will be available in November, although no specific date was announced."

At Last!

[WrongSizeGlass]

At last ... the malware writers will have a new challenge, and just in time for those long holiday weekends. I'm betting they find a way around Adobe's "sandbox" before the end of the year. Adobe used to make very good software - now they make very exploitable software.

Re:At Last!

[ByOhTek]

The big question is... Which will be released first?

The new version, or the exploits for the new version.

Re:

[ByOhTek]

Do you define the species of an egg by what produced it, or what came out of it?

If the former, the chicken. If the latter, the egg.

Re:

[metrix007]

Actually, evolutionarily, the chicken came first.

http://www.msnbc.msn.com/id/38238685/ns/technology_and_science-science/ [msn.com] [msn.com]

The chicken would have had to have the mutation necessary to lay the egg in the first place.

Re:

[ByOhTek]

Sorry, don't have flash. If that is talking about the eggshell protein, the logic is idiotic, and demonstrates either a reporter too eager to say something, or a scientist too desperate for funding and speaking out his ass.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[grub]

What I don't really understand is why they ever updated PDF beyond being a simple document format - it introduced all of these vulnerabilities

There would be no money in the long run had they released "Reader v1.0" and turned off the lights.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[neumayr]

Acrobat isn't replaced by "Print to PDF". Not by a long shot.
If all this extra functionality is actually needed, I do not know. But making PDF popular is part of what lets them sell their ADEPT DRM solution, and I'm sure that's making them a pretty penny.

Re:

[RDW]

The really irritating thing is that if you do need the full Acrobat package you have to buy an upgrade as soon as your version is EOL'd, even if you're perfectly happy with its features, because there'll be no more security updates to fix whatever gaping vulnerability has been discovered that week. Since they release a new version about every two years, and only support it for 5 years from first release, if you buy a version towards the end of its release period you could have as little as 3 years before th

Re:

[Ant P.]

Is that the DRM I can turn on and off at will in Okular using a checkbox in the options window?

Re:

[rudy_wayne]

hey still can make good software, which they proceed to sell for very large quantities of cash. What I don't really understand is why they ever updated PDF beyond being a simple document format - it introduced all of these vulnerabilities, and gave them a lot more work to do on their free reader software, for little real value. What was wrong with just keeping it as a simple extension of postscript?

Like any product, they have to keep producing new versions with new "features" so that existing users will wan

Re:

[arth1]

It's called "feeping creaturitis". You have to come out with new versions in order to sell, and new versions need something new. It's easy for things that absolutely don't belong to creep in, when you've run out of good ideas.

Remember Lett's Law: "All programs evolve until they can send email."
(And my corollary: "Except Exchange")

Re:

[BlitzTech]

Don't forget Zawinski's Law of Software Envelopment:

Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can.

Re:

[DrSkwid]

Or these days :

All software expands until it reaches Twitter.

which includes hardware :

http://www.reghardware.com/2010/10/15/lexmark_twitter_printer/ [reghardware.com]

Re:

[JonySuede]

postscript is already turing complete...

Re:

[phantomcircuit]

They added the new features to sell upgrade of their document production software.

Re:At Last!

[Skuld-Chan]

Having worked on Adobe Acrobat (and Reader) for the last 8 or so years (my name is in a good chunk of all the release credits since version 5 or 6) the feature to add form support was added in version 3 (which came out in the mid 90's) as an addon.

It was added for the same reason a lot of features were added - to extend the product compete in a specific marketplace - specifically places where forms are displayed. Same reason a lot of features in a lot of products are added - to make more money in another market.

Where I work now they use a development kit from Datatel called Colleague - most of what it does is display forms from a pick database and read or save these fields (it has scheduling, accounting/ap/ar etc as well built in). You could in fact use Acrobat to display these same forms. And if your migrating from a paper based workflow - you can in fact scan all these forms in, add a bunch of fields with whatever logic JS provides (and in turn hook that into whatever logic livecycle server provides) and you have an electronic version of the paper form you used to file away.

That was in fact (as I recall it was a while back) the marketing pitch.

It does work too - there's even support for SAP. At one point the IRS had grand visions of filing all your taxes electronically with it (but since we can't have nice things in this country that got canned) - so it does have a lot of potential. Since something like 90% of all PC's have some version of Reader - it's an excellent target platform if you want to display paper like forms on the net.

But like ANYTHING that has any kind of outside connectivity it's vulnerable to attack. People on here always herald other technologies as they would save us from whatever we use now, but its just a matter of what is and isn't the target. Acrobat 4 and 5 had massive vulnerabilities, but no-one ever complained about rogue pdf files because it wasn't a target. I remember the first big vulnerability on Acrobat 7 - it wasn't sanitizing inputs (it does now!) and allowed a PDF to execute commands on the PC (very similar to the bobby tables comic). After that exploit - the blood was in the water and everyone and their sister wanted to poke away at the code to find new ones (and being a very old product it has plenty of them...).

Re:At Last!

[Anonymous Coward]

So why is it that Acrobat reader is 200mb and takes forever to install, and installs several other adobe products with it and then requires admin rights to install updates so it always gets outdated and becomes vulnerable?... it's because it has become bloatware. Just like Quickbooks, it just keeps getting slower and slower and slower, and contains more features that 90% of users wont ever use.

SumatraPDF is like 1.5MB and installs in less than 5 seconds and opens instantly

Perhaps there should be a Lite version of Adobe Acrobat for people who just want to view PDF files... we could call it "Adobe Acrobat Reader"

Re:

[Freultwah]

Perhaps there should be a Lite version of Adobe Acrobat for people who just want to view PDF files... we could call it "Adobe Acrobat Reader"

And somewhere along the way, like in 2003, we could drop "Acrobat" from the reader's name to make the product even leaner and lighter.

Re:

[Skuld-Chan]

Reader 9 is 90 megs, not 200... The actual viewer itself is about 20 megabytes - the rest are plugins which you don't need to view pdf files.

You could roll your own Adobe Reader lite - all the plugins are windows installer components - you could actually build your own reader lite and roll it out to your own organization - patches will still work like normal.

On my Dell Optiplex 980 - cold start of reader 9 is instantaneous so not sure what to say there. They really do measure start performance of the app in

alternatives...

[DrYak]

It's call Preview :o)

or Okular (KDE) or Evine (GNOME) or Sumatra or Foxit (Win32) or even PalmPDF (old school PalmOS) etc.

it seems that nowaday, everyone is able to make a decent PDF reader (thanks, among other, to Xpdf whose code ended up in poppler). Well except adobe themselves...

Re:

[waddleman]

BTW. I filed last year taxes with the IRS using this feature. See the free file fillable forms options. The forms do a lot of the basic math calculations also.

Re:

[Matt Perry]

Having worked on Adobe Acrobat (and Reader) for the last 8 or so years (my name is in a good chunk of all the release credits since version 5 or 6)

Aha! So you are to blame! Get him, boys!

Re:

[Skuld-Chan]

Hardly ;) - my main job was to triage enterprise support issues (which meant writing and analyzing bugs, debugging problems, sometimes even traveling on site etc). As such - I worked closely with the developers on the product itself (a lot of fixed bugs, new features - stuff like that I owned the process on :)).

Re:

[BitZtream]

So why not just use HTML, its penetration rate is higher than PDF, has more software for displaying it, and does pretty much all the same shit ... oh, and most browsers have some sort of security mechanisms built in.

Its neat that you worked on Acrobat and its dirty children, but don't you think you could have spent that time doing something better than reinventing the wheel in a substandard way?

Whats great is that you take credit for a bunch of work in acrobat, then proceed to point out (probably not intent

Re:

[peragrin]

because unlike HTML PDF prints the same every time?

There is a reason why every major printer/press uses PDF. because of postscript it prints the same way every time. no other document format today does that.

what I wish is that it didn't take the full version of adobe to make PDF forms. That you could make them just as simply as one makes regular PDF's

Re:

[BitZtream]

Wrong. Adobe reader has done a REAL good job about maintaining compatibility, which is fairly easy in its case.

Start using different viewers and PDF starts to look different.

You want HTML to always print the same? Simple, specify a single browser to use and documents will always print the same there too.

Now I realize your point is that PDF is consistent and browsers very widely, but the only reason that is true is because one company controls the PDF format and the move standard forward internally without

Re:

[Skuld-Chan]

Well you can't overlay a form field on a scanned form in HTML with exact positioning (you might be able to now, I have no idea).

Also you have to remember in 95 - html forms were primitive at best. A lot of these solutions were developed a long time ago and still have to be supported.

Its a very similar situation with Flash vs. HTML-5. Flash solved a problem HTML could not at the time so it had a lot of adoption in places HTML-5 is slowly catching up on now (if that makes sense).

Also another big thing - the d

Re:At Last!

[pclminion]

PDF is not an extension of PostScript. There is a superficial similarity between the PDF content stream format and PostScript, and although this was done deliberately to make printing PDFs to PostScript devices simpler, it is not a real derivative of PostScript. For instance, there is no operand stack, and there are no control flow or looping constructions.

A PDF file is essentially an object-oriented database. Some of the contents of this database are graphics operator streams which are syntactically similar to PostScript. That is where the similarity begins and where it ends.

Re:

[BitZtream]

Yea, so uhm, its based on PostScript then isn't it? You know, PostScript but different ... so it could be sent to PostScript printers easily ...

Re:

[pclminion]

It's "based on PostScript" in the same sense that Windows 7 is "based on DOS." The relationship is minor, incidental, and as a matter of fact, not even guaranteed going forward. PDF has a concept of a "ProcSet," a set of macros which are exported to a PostScript device prior to sending a page content stream. These ProcSets used to be mandatory. They are no longer required and are now considered deprecated. What it means is that natural PDF content streams are no longer directly usable by PostScript printers

Re:

[Quiet_Desperation]

I went to a connector manufacturer web page the other day for a data sheet, and they had 3D models of the connector in PDF format. You could open it op and rotate the 3D model around in a PDF. Didn't work worth a damn on a six month old PC with an i7 and gobs of RAM and a moderate graphics card, so I had to wonder what the point was. Our mecha guys are just going to import the real models into Pro-E anyway. I can get the gist of a connector from a good 2D CAD drawing.

Re:

[JeffSpudrinski]

What you say is very true, but at least there's an effort on Adobe's part.

Albeit a long overdue and woefully underpowered effort...but an effort nonetheless.

Just my $0.02.

-JJS

Re:

[MichaelKristopeit 14]

all software is a sandbox for itself... adding another layer of equally exploitable bloat is not a feature.

Re:

[gad_zuki!]

To be fair, they're using MS's protected mode which IE uses and from what I've gathered there haven't been any exploits that break through it. Please note add-ons do not run in protected mode, so if something is targeting your Java or Adobe Reader then those run normally.

Protected mode allows very limited access to the OS and forces a broker process to handle anything that interacts with the user's system. [microsoft.com] Yes, its hackable like most things in life, but its a pretty smart design that I think will limit expl

Re:

[arndawg]

Microsoft and Google helped them on this sandbox so I have faith that this is a step forward.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Aquina]

Exactly! I guess they will never ever get that damn thing safe enough to compete with evince, kpdf or whatever. Honestly the only reason to use that Adobe Acrobat Reader crap is because it supports dozens of non-free features; that whole scripting and stuff. When I try to print out a document from my post office to send a package or something I will always have to call them for sending me a non-script version of the document. I doubt they will ever listen to their customers or take their security more serio

Putting the rotten, festering tomato in a can...

[carlhaagen]

...will surely make it more attractive and suitable for consumption. Good one, Adobe.

Re:

[Hal_Porter]

She's switched to non "your Dad" men too.

when your os...

[Anonymous Coward]

...makes you always run with admin rights ( they should toss that policy out the *window*), individual programs have to act like little operating systems and do their own rights separation.

Re:when your os...

[afidel]

Windows hasn't done that since 2000 if you know what you are doing.... Even less so for Vista/2008 and up.

Re:

[the_womble]

True. I had to click some extra buttons to edit a config file on Vista. It was damn difficult to figure what to do though - how one edits a file as admin was far from obvious (no equivalent to "edit as root" in a Linux file manager).

Of course, on Mandriva I could change the same config (the hosts file) in a GUI so I would not need to edit as root anyway.

I was also amused to find that Windows copies Unix files structure in having a partial equivalent to /etc (though its buried several layers deep) called \et

Hmm

[Anonymous Coward]

Maybe they can make it a more reasonable size? Who needs a 60MB file reader?

This is good but....

[mark-t]

... I'm still waiting on acrobat reader for x86_64 Linux. While there are other PDF readers for Linux, none of them that I've found work properly with documents that use layering features apparently only found in Acrobat.

Re:

[Skuld-Chan]

Wow seriously? How about Adobe Reader for Linux [adobe.com]?

Re:

[Joseph Vigneau]

Looks like it's a 32 bit app, not an x86_64 app. Not good if you're running a pure 64-bit environment.

Re:

[Hal_Porter]

Well if you want to run Acrobat, don't use a pure 64 bit environment.

Re:

[the_womble]

Why not? It works (on most distros), and its hardly performance critical.

Gasp!

[Quiet_Desperation]

And little does anyone suspect that Reader X is actually Speed Reader's long lost brother!

Re:

[Nimey]

ror

Re:

[Quiet_Desperation]

ROR? Raph Out Roud? That seems vaguely racist. Hey, I tease.

Seriosuly, though. Rate of Return? Ruby On Rails? Rotate Right? Help a brother out here.

Re:

[Nimey]

I believe the first one was the original. It's a common expression on another site I'm on.

Re:

[Culture20]

Twice as funny if you imagine it in the voice of the Micro Machines guy.

Great!

[Local ID10T]

New Adobe Acrobat Reader X!

Slower and more bloated than ever before!

New holes to exploit*!

(*old holes still included)
...yeah, I'll stick with Foxit Reader.

Re:

[hcpxvi]

Oh so nearly Haiku! Let's try again:

Adobe Reader X
Slow, more bloated than before
New holes to exploit


Darn. You have to pronounce "Adobe" as "A-dob".

Re:

[Abstrackt]

Darn. You have to pronounce "Adobe" as "A-dob".

And a haiku traditionally contains a word or phrase that symbolizes or implies the season.

The new Reader X
Still bloated like a dead cow
More holes than swiss cheese

Re:

[Skuld-Chan]

I don't get this - seriously. Foxit often has the exact same exploits as Reader does - remember that postscript font bug/exploit Reader had? Foxit had it too, they fixed it a whopping 3 days faster than Adobe, and Adobe has to support about 24 more languages than Foxit does.

Re:

[rekenner]

Yeah. Ironically, FoxIt is now ... getting to the bloat and vulnerability of Adobe. So, it too has been replaced by another slim PDF viewer. I use SumatraPDF, personally. It's quick, small, and doesn't have enough features to be vulnerable.

Re:

[(Score.5, Interestin]

Yeah. Ironically, FoxIt is now ... getting to the bloat and vulnerability of Adobe. So, it too has been replaced by another slim PDF viewer. I use SumatraPDF, personally. It's quick, small, and doesn't have enough features to be vulnerable.

I dropped Foxit for the same reason. I'm using STDUViewer, which isn't quite as... quirky as Sumatra, which seems to go out of its way to do straightforward things like text selection in as nonstandard a way as possible.

Re:

[eulernet]

and Adobe has to support about 24 more languages than Foxit does.

I don't understand what languages have to do with a patch in the code, or do you mean that the language resources are coded into the source itself or, even worse, that there are 24 different versions of the source ?

The problem is not that Adobe took 3 more days than Foxit, the problem is that Foxit has patches easy to deploy, and Acrobat Reader hasn't, so any new exploit will work for a lot of time.

I think I speak for all of us

[cerberusss]

I think I speak for all of us when I say: Fuck you Adobe, fuck you and your stupid software. Which makes both our work and our private lives miserable with its gazillion security holes, one worse than the other.

When I hear the word Adobe, I think of problems. That's the mindset you created.

Re:

[Culture20]

When I hear the word Adobe, I think of problems. That's the mindset you created.

Agreed. CS4 on Windows had a workaround method to update products remotely via command line (by downloading updates from their website). CS5 on Windows has those updates absent from the website. So we have to either grant access to the adobe updater program to run as admin for everyone and teach them to update (and scan to make sure), or manually use the GUI overselves on end users desktops. WTF? I bet the Mac version is just as foobared, but at least you can just ARD-push the application directories a

A better protected mode

[Dystopian Rebel]

OS X - built-in Preview app
Linux - Evince, several others
M-Windows - Foxit, Sumatra

The alternatives are so much better than Adobe Acrobat Reader that I think we can now say that the alternatives are the market and Acrobat Reader is the poor alternative.

Re:

[blindbat]

Unless you work in the printing field. If so, all of the programs you list fail miserably at rendering the files. On both Mac and Windows.

Re:

[LWATCDR]

Which very few of us are.
The problem with Acrobat is simply feature bloat. Most people need a program that will let them read PDFs. That is it.

Re:

[Kurt Granroth]

I think most people can agree that for most purposes, any alternative to Adobe Reader is going to be faster, smaller, and more secure. But let's not delude ourselves into thinking that just because we're not using Reader that we're completely safe from PDF exploits. Witness the recent XPDF vulnerability that affects nearly every Linux-based PDF resource:

http://securitytracker.com/alerts/2010/Oct/1024526.html [securitytracker.com]

We're safe from a "security through obscurity" point of view (why bother writing an exploit for suc

Re:

[internettoughguy]

OS X - built-in Preview app
Linux - Evince, several others
M-Windows - Foxit, Sumatra

The alternatives are so much better than Adobe Acrobat Reader that I think we can now say that the alternatives are the market and Acrobat Reader is the poor alternative.

Add Chromium to that mix too; it now supports PDF, and is available for all of those platforms.

Awesome.

[blair1q]

Protected mode involves having a separate process brokering write requests from the document viewer to the OS.

Because that's just what a bloated resource-hog like Acroread needs, is a whole layer of IPC and ACL in the most basic of places...

Why does anyone use PDF anymore anyway?

Re:

[blair1q]

For inexact values of "perfectly" and "everywhere".

Re:

[blair1q]

No, it's still ignorance, because it's not the fact that was in question, which was "it displays perfectly everywhere."

So I again amend my remarks.

"for deliberately self-unaware and/or ignorant values of 'perfectly' and 'everywhere'".

Re:

[blair1q]

If you wanted to say that in the first place you would have. Instead, you said what you said, and it was an ignorant tautology, as you've proved by changing what you would say, now that you know you were wrong.

As for whose head is in the sand, you have worms in your teeth.

Re:

[DragonWriter]

Why does anyone use PDF anymore anyway?

Because no one has come up with a replacement technology that maintains PDF's strengths while having a compelling-enough set of advantages to get people to change.

Reader X Updates coming soon...

[digitaldc]

So how many minutes will it be before we have to update Reader X after we install it?

Re:

[Teufelsmuhle]

I bet it won't be long. I also bet that when I install the update, it will place another stupid Adobe Reader shortcut on my desktop.

Sumatra - too dumb to exploit.

[Animats]

Sumatra - it's so dumb that the Adobe exploits don't work. No forms. No plug-ins. No cut and paste. No networking. All it does is display PDFs in a separate window. Which, 99.9% of the time, is all you want.

I don't even have Adobe Reader installed on my Windows 7 machine.

More Bloat for Adobe Bloatware

[BuckaBooBob]

Its shocking to see other PDF reads that are as small as 1 Meg and how well they work compared to Adobes 100+ Meg install of a reader..

A Sandbox sound like another awesome way to make a simple document reader even bigger.

As it is now When I see someone using Acrobat I cringe and inform them there are alot of PDF readers out there that do a great job... and when they load one of them up they are amazed how fast PDF's open..

The general Public needs to be informed that there are Better and More Secure PDF read

WTF? Why? It's a READER!!!

[CPE1704TKS]

This is getting ridiculous! I want Adobe Acrobat to just take a PDF and DISPLAY IT. I didn't sign up for all this bullshit with javascript, adding a service into my already crowded memory space that checks constantly for updates, etc. It's fucking ridiculous!

All it's supposed to be is a way to format a document. Anything more than that, adding all this fucking unnecessary infrastructure/bloatware onto desktop just makes me crazy! The additional fact that it causes viruses makes me really, really close

Re:

[account_deleted]

Comment removed based on user account deletion

Who is the idiot...

[FranckMartin]

...that decided to put a scripting language inside PDFs?

Have we learn anything? Do we have to use back postscript for sending safe documents?

I hope Adobe take advantage of this opportunity...

[(Score.5, Interestin]

... to add the 300MB of extra functionality to their reader that they've been holding back on for the last few years (scratch-n-sniff PDF support, essential stuff like that). Releasing a major new version like this would be a golden opportunity to add all the much-needed extras that they haven't dared add so far.

Re:

[hcpxvi]

Apple sues for the use of "X"
Followed closely by that company that makes the X-box. What were they called, now? ISTR them having a lot of lawyers. I don't imagine that the current providers of the X Window System will bother.

Re:

[arth1]

More likely is that Apple will come out with their own not-entirely-compatible Acrobat reader, which sneak-installs QuickTime, iTunes and a web browser, and everyone will hail it as the best thing since sliced bread...

Re:

[theurge14]

That would be a pretty good zinger if Mac OS X didn't already have Preview.