One has to wonder after reading these articles from yesterday’s ZDNet…
In their article, Report: Malicious PDF files comprised 80% of all exploits for 2009, ZDNet reports:
A newly released report shows that based on more than a trillion Web requests processed in 2009, the use of malicious PDF files exploiting flaws in Adobe Reader/Adobe Acrobat not only outpaced the use of Flash exploits, but also, grew to 80% of all exploits the company encountered throughout the year.
The other blog, Adobe plugs more gaping holes in PDF Reader, ZDNet reports that Adobe has released a new patch for the Adobe Reader yesterday.
This morning, both of my Windows XP machines lit up with an announcement that there was a new version of Flash Player available and urged me to install. I did despite the fact that I manually updated them all last week when the first stories appeared that the patch was released.
Perhaps the scariest conclusion noted in the ZDNet article about report from ScanSafe was that:
Therefore, the increasing use of malicious PDFs can also be interpreted as the direct result of the millions of users using outdated and exploitable Adobe products (emphasis mine), with the only preference a malicious attacker could have in this case remaining the incentive based on the 99% penetration of Adobe Flash on Internet-enabled PCs.
I guess the adage, “you have no one to blame but yourself” comes to mind, but clearly, people have come to expect that the people who make the stuff that they run on their computers ensure that their stuff is safe.
So the message here folks is: when you get a notice that there is a new version of your software available, drop everything and install it.
Just read a good article by Tony Bradley called “Is it time for the Web to Abandon Flash.” In it he notes the controversy about Apple not allowing Flash on any of its handheld products, including the soon-to-be-released iPad. Millions of viewers of Steve Jobs’ announcement last week no doubt saw him demo the NY Times website where Flash content was missing and a nasty little icon appeared telling you you need to download a Flash extension for your browser.
I have disliked Flash for a long time, primarily due to its problems with assistive technologies; it often does not play well with screen readers, especially if it has not been developed correctly. In my mind, many Flash developers are graphic artists, illustrators or animators, and don’t really understand web design.
Add to this the fact that more people are now accessing web content via a non-traditional user agent (i.e., not a traditional browser) and you see why I agree with Bradley that Flash may be past its prime.
It’s ironic that Adobe developed Acrobat to find a way to share documents at a time just prior to the “invention” of HTML. Flash, build on the same business principles, was developed for the same reason. And once again, a new standard (HTML 5) may usurp their position. And, I should point out that the new standard will be accessible to screen readers.
But just as those who predicted the demise of Adobe Acrobat 15 years ago were wrong, I suspect it is not quite time for Adobe to throw in the towel and hire the undertaker. Look for Flash to be around for some time to come. But at least for some of us, there will be other options.
This will be interesting to watch.
I have been on a quest to get the latest information about the various distance learning and conferencing software on the market and their accessibility. And I have not been having much success.
It seems that every day there is a new videoconferencing service or webinar package being created and most – if not all – have no information about accessibility and their use with assistive technologies. For example, my research about Adobe Acrobat Connect Pro has turned up nothing but some personal observations – all negative regarding access – and a VPAT that is less than stellar. The company claims that updates made last fall make it “more accessible” but I have not seen anything definitive other than the company’s own White Paper on the topic. Yet, I know of at least one state government agency that is using this application despite concerns about accessibility.
I do not mean to be picking on Adobe; it just so happens that Connect Pro is the last one I have been researching.
As people scramble with declining budgets, more and more organizations are cutting their travel budgets and will be relying on technology to connect people for continued learning and professional development. But will this be leaving out a multitude of people in the process if the DL tools are inaccessible?
You thoughts and resources would be appreciated. I would really like to know if there is anyone out there studying this.
~jeb
__
Image used through license from Creative Commons - Goddard Video and Multimedia
I have updated my blog entry from a few days ago regarding issues with the security of Adobe Acrobat. Read the latest update there.
~John Brandt
Adobe Acrobat logo
UPDATE: New versions of Acrobat Reader 9 and Professional 9 are now available for download. Updates and patches to older versions are supposed to be available tomorrow, March 18th. Also note that I patched what I could and then today received what I thought to be a very suspicious e-mail with a PDF attachment. Read about it on my other blog
I learned this on Twitter a few days ago and am frankly surprised it has not become more widely knows. Basically, there has been a security problem found in the Adobe Acrobat Reader and Adobe Acrobat Professional which allows certain malware to attack your computer. Initially it was reported that by simply disenabling the JavaScript switch in Reader (and Professional) the problem went away. As an interesting aside, I did this and the very first PDF I downloaded and read an hour later came from Adobe and it required the JS switch be turned back on.
Anyway, in this latest report from ZD Net, it appears that that advice does not mitigate the problem and that Adobe is no closer to a solution than it was a few days ago.
So, the only general advice we can give sportsfans is to avoid opening Adobe Acrobat files until the security issue is resolved. As is stated in the ZD Net article: “All users of Adobe Reader/Acrobat should therefore show extreme caution when deciding which PDF files to open regardless of whether they have disabled JavaScript support or not.”
Here is a link to the ZD Net article with details
Update: Here is more information from Adobe – but the general consensus is to make sure you have you Anti-Virus programs running and up-to-date.
http://blogs.adobe.com/psirt/2009/02/adobe_reader_and_acrobat_issue_1.html
http://www.adobe.com/support/security/advisories/apsa09-01.html
~jeb
