PDF readers need a tinfoil hat

PDF readers need a tinfoil hat

Summary: Upstart PDF reader for Windows, FoxIt reader, has come out with a new "safe reading" feature — a needed addition to be sure, but it should go further.

SHARE:

blog Upstart PDF reader for Windows, FoxIt reader, has come out with a new "safe reading" feature — a needed addition to be sure, but it should go further.

FoxIt's new

FoxIt's new "safe reading" feature prevents an external application from launching
(Screenshot by Chris Duckett/ZDNet Australia)

This new feature is able to prevent launching of external programs and playing of media, but still retains the ability of the reader to interpret JavaScript. As Adobe can attest, having JavaScript within PDFs can spawn vulnerabilities. How FoxIt believes that "safe reading" and JavaScript interpretation are compatible is a serious double-think that I am not comfortable with.

FoxIt takes an all-or-nothing approach to JavaScript

FoxIt takes an all-or-nothing approach to JavaScript
(Screenshot by Chris Duckett/ZDNet Australia)

However, let's not get carried away and think that this is part of a grand security design by FoxIt — in fact, FoxIt calls it "a follow-up security improvement to the Foxit Reader release on April 2nd". PDFs have had security issues for quite a while now and there has been ample opportunity to one-up Adobe on security, something that FoxIt was not in a position to do when this PDF exploit appeared in late March, but which "safe reading" rectifies.

Adobe's more flexible approach to JavaScript options

Adobe's more flexible approach to JavaScript options
(Screenshot by Chris Duckett/ZDNet Australia)

To properly remove the issue of JavaScript security, I would like to see an option that blocks both external application launching and JavaScript. In light of FoxIt's use of the word "safe", I propose that this option be called "Tinfoil hat", and be invoked by default.

If Adobe's and FoxIt's readers are able to prompt users to launch external commands, then surely it can prompt users to invoke the JavaScript engine.

How Adobe Reader handles external application calls

How Adobe Reader handles external application calls
(Screenshot by Chris Duckett/ZDNet Australia)

So "safe reading" has a bit to go before it's really safe.

Topics: Security, Software Development

About

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Great! Expecting a user to read and understand a 52? word technically heavy dialogue box is the perfect security solution!

    The average user will read 5 words and click OK without further thought.

    I will use Foxit or Sumatra anyway (when using Windows) because they is small and fast and free.
    Serenicom
  • I meant to say "they ARE small and..."
    Serenicom
  • By far the best of the free PDF Readers/Viewers is PDF-XChange, its light, lightening fast and offers all you would expect like commenting/markup, export to an image file, fill and save forms etc - and there is a portable version too.

    Google PDF-XChange of go to Tracker Software Products site for download info.
    stoufville