PDF readers need a tinfoil hat

Summary:Upstart PDF reader for Windows, FoxIt reader, has come out with a new "safe reading" feature — a needed addition to be sure, but it should go further.

blog Upstart PDF reader for Windows, FoxIt reader, has come out with a new "safe reading" feature — a needed addition to be sure, but it should go further.

FoxIt's new

FoxIt's new "safe reading" feature prevents an external application from launching
(Screenshot by Chris Duckett/ZDNet Australia)

This new feature is able to prevent launching of external programs and playing of media, but still retains the ability of the reader to interpret JavaScript. As Adobe can attest, having JavaScript within PDFs can spawn vulnerabilities. How FoxIt believes that "safe reading" and JavaScript interpretation are compatible is a serious double-think that I am not comfortable with.

FoxIt takes an all-or-nothing approach to JavaScript

FoxIt takes an all-or-nothing approach to JavaScript
(Screenshot by Chris Duckett/ZDNet Australia)

However, let's not get carried away and think that this is part of a grand security design by FoxIt — in fact, FoxIt calls it "a follow-up security improvement to the Foxit Reader release on April 2nd". PDFs have had security issues for quite a while now and there has been ample opportunity to one-up Adobe on security, something that FoxIt was not in a position to do when this PDF exploit appeared in late March, but which "safe reading" rectifies.

Adobe's more flexible approach to JavaScript options

Adobe's more flexible approach to JavaScript options
(Screenshot by Chris Duckett/ZDNet Australia)

To properly remove the issue of JavaScript security, I would like to see an option that blocks both external application launching and JavaScript. In light of FoxIt's use of the word "safe", I propose that this option be called "Tinfoil hat", and be invoked by default.

If Adobe's and FoxIt's readers are able to prompt users to launch external commands, then surely it can prompt users to invoke the JavaScript engine.

How Adobe Reader handles external application calls

How Adobe Reader handles external application calls
(Screenshot by Chris Duckett/ZDNet Australia)

So "safe reading" has a bit to go before it's really safe.

Topics: Security, Software Development

About

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.