X
Tech

PDF readers need a tinfoil hat

Upstart PDF reader for Windows, FoxIt reader, has come out with a new "safe reading" feature — a needed addition to be sure, but it should go further.
Written by Chris Duckett, Contributor

blog Upstart PDF reader for Windows, FoxIt reader, has come out with a new "safe reading" feature — a needed addition to be sure, but it should go further.

FoxIt's new

FoxIt's new "safe reading" feature prevents an external application from launching
(Screenshot by Chris Duckett/ZDNet Australia)

This new feature is able to prevent launching of external programs and playing of media, but still retains the ability of the reader to interpret JavaScript. As Adobe can attest, having JavaScript within PDFs can spawn vulnerabilities. How FoxIt believes that "safe reading" and JavaScript interpretation are compatible is a serious double-think that I am not comfortable with.

FoxIt takes an all-or-nothing approach to JavaScript

FoxIt takes an all-or-nothing approach to JavaScript
(Screenshot by Chris Duckett/ZDNet Australia)

However, let's not get carried away and think that this is part of a grand security design by FoxIt — in fact, FoxIt calls it "a follow-up security improvement to the Foxit Reader release on April 2nd". PDFs have had security issues for quite a while now and there has been ample opportunity to one-up Adobe on security, something that FoxIt was not in a position to do when this PDF exploit appeared in late March, but which "safe reading" rectifies.

Adobe's more flexible approach to JavaScript options

Adobe's more flexible approach to JavaScript options
(Screenshot by Chris Duckett/ZDNet Australia)

To properly remove the issue of JavaScript security, I would like to see an option that blocks both external application launching and JavaScript. In light of FoxIt's use of the word "safe", I propose that this option be called "Tinfoil hat", and be invoked by default.

If Adobe's and FoxIt's readers are able to prompt users to launch external commands, then surely it can prompt users to invoke the JavaScript engine.

How Adobe Reader handles external application calls

How Adobe Reader handles external application calls
(Screenshot by Chris Duckett/ZDNet Australia)

So "safe reading" has a bit to go before it's really safe.

Editorial standards