During the RSA Conference (2009) held this week, F-Secure's chief research officer Mikko Hypponen told the press on Tuesday that consumers should not use Adobe's Acrobat Reader, but rather switch to an alternate application to read PDF files. Those are strong words, especially when most consumers have Acrobat Reader installed and set as the default PDF application. However, according to Hypponen, 47-percent of the targeted attacks in 2009 have exploited holes in the program; six vulnerabilities have been discovered in Reader so far (SA29773) this year.

Hypponen went on to warn that Adobe Reader is the new Internet Explorer (6), referring to a time when security experts told consumers to switch to another browser due to huge security holes in Microsoft's browser. By getting rid of Reader, he said that consumers will reduce their risk of acquiring malicious code and infecting the PC. "That's my advice," Hypponen said. "I don't expect a Christmas card from Adobe."

PDF files can be especially dangerous to consumers and executives who are accustomed to receiving files in that format. Recipients of an infected PDF merely open the file via Acrobat Reader and activate the embedded malicious code (aka a "targeted attack"), opening a back door in the PC and allowing the attacker to steal sensitive data. Security flaws in the Adobe Acrobat Reader browser plugin also allows the attacker to come in and create a back door, termed as a "drive-by download," when the end user downloads a PDF from a "tainted" website.

Unfortunately, the problem is getting worse. According to Hypponen, F-Secure saw 128 "dangerous" drive-by attacks between Jan 1 and April 16, 2008. In the same time frame this year, F-Secure has seen 2,305 drive-by attacks. To alleviate the problem, Hypponen suggested that Adobe should make security a priority, and to take notes from Microsoft whom releases monthly security patches on a regular basis. Unfortunately, consumers aren't fully aware that Adobe's Acrobat Reader requires updating in a security sense, and often avoid installing crucial updates when the program alerts the end-user of a new patch.

For now, Hypponen suggests that consumers stop using Reader altogether, and locate a compatible program by heading to this website. Are these programs more secure? That's a good question, however, like Firefox and the other non-Internet Explorer browsers, they're not currently in the hacker-oriented spotlight. Still, come this holiday season, it will not be surprising to see Adobe sending Hypponen a Christmas card PDF to his email inbox.