Is Adobe’s PDF document standard now so riddled with security problems that the time has come to ditch it?

According to an unscientific straw poll conducted at the recent Virus Bulletin 2010 conference in Vancouver, the answer is an emphatic ‘yes’, with a reported 97 percent of experts believing that the time had come to ban it outright before replacing it with something better.

It must be a first in computing history for professionals to have supported the idea of ditching de-facto standards, but it’s not hard to see where the worries over the PDF’s long-term future come from.

Adobe’s Reader is by most third-party measures the most attacked application going for a cocktail of reasons. The PDF is ubiquitous, which means every PC is a potential target because every PC will have a reader, and the company behind the de-facto reader, Adobe, let security slip for too long.

The Virus Bulletin attendees were making a rhetorical point no doubt, but talk of a ban is nonsense.  The problem is not simply the PDF itself so much as the obsolete software architecture in which it runs and the vulnerabilities of the Adobe’s own Reader program.

The ‘obsolete’ architecture is Windows, which happily lives with the distinction between things done by the operating system (which is now secure in relative terms) and things that can be done by applications (which is more or less anything and consequently far from secure).

Short of abandoning Windows itself, and all OSes that work in the same way, the only way to retrofit security into such an environment is to start employing techniques such as sandboxing, which limits what applications can do. This has been pioneered by Microsoft, in browsers such as Google’s Chrome, and by adobe itself for future versions of Reader.

So let’s not ban Reader, and certainly not the hard-won PDF that millions of people use every day and have no obvious alternative to. Use an alternative reader program, of which there are a number out there, and await the coming of security restrictions built around every common consumer app.

And let’s not rely on the antivirus companies who also suffer security failures of their own.

It isn’t a perfect or easy-to-implement solution but it’s better than simply hitting the document ‘off’ button.