Here we go again: another expert recommending that people stop using a popular piece of software because it has too many vulnerabilities. In this case, I'm talking about F-Secure's recommendation to abandon Adobe's Acrobat Reader in favor of other PDF rendering programs, like Fox-It or any of the free alternatives available.
You'll often read similar recommendations to dump Microsoft's Internet Explorer (I work full-time for Microsoft) and use any other browser instead. To completely protect yourself, they'll advise moving off of Microsoft Windows all together.
[ Are Chrome, Firefox, Opera, and Safari more secure than Internet Explorer? See the Test Center guide to browser security. Learn how to secure your systems with Roger Grimes' Security Central newsletter from InfoWorld. ]
The idea is that protection can be gained by moving to a more secure product or that it's just inherently safer to use a less popular product because it is less likely to be attacked. Now, the former argument I can buy. If one product has weaker security than another product, who can blame you for switching? Of course, that argument is more complex than it first appears.
What is a more secure product? Do you measure that with known bug counts, severity of bugs, time to patch, or how often it is publicly exploited? And is the product you are moving to actually more secure or just attacked less often because it is not as popular? This leads to the other argument: When it comes to software, there's safety in fewer numbers of users. The idea is that when everyone is using the same application or operating system (OS), a computer monoculture is created that leads to more exploits.
On the face of it, it's a compelling argument, one that's hard to reason against. If we all use the same software, then attackers can write one piece of code to exploit us all simultaneously. It seems to make sense that moving away from a monoculture (an argument first popularized in a paper by Dan Greer and others in 2003) would reduce overall security risk.
