blog Upstart PDF reader for Windows, FoxIt reader, has come out with a new "safe reading" feature — a needed addition to be sure, but it should go further.
FoxIt's new "safe reading" feature prevents an external application from launching
(Screenshot by Chris Duckett/ZDNet Australia)
This new feature is able to prevent launching of external programs and playing of media, but still retains the ability of the reader to interpret JavaScript. As Adobe can attest, having JavaScript within PDFs can spawn vulnerabilities. How FoxIt believes that "safe reading" and JavaScript interpretation are compatible is a serious double-think that I am not comfortable with.
FoxIt takes an all-or-nothing approach to JavaScript
(Screenshot by Chris Duckett/ZDNet Australia)
However, let's not get carried away and think that this is part of a grand security design by FoxIt — in fact, FoxIt calls it "a follow-up security improvement to the Foxit Reader release on April 2nd". PDFs have had security issues for quite a while now and there has been ample opportunity to one-up Adobe on security, something that FoxIt was not in a position to do when this PDF exploit appeared in late March, but which "safe reading" rectifies.
Adobe's more flexible approach to JavaScript options
(Screenshot by Chris Duckett/ZDNet Australia)
To properly remove the issue of JavaScript security, I would like to see an option that blocks both external application launching and JavaScript. In light of FoxIt's use of the word "safe", I propose that this option be called "Tinfoil hat", and be invoked by default.
If Adobe's and FoxIt's readers are able to prompt users to launch external commands, then surely it can prompt users to invoke the JavaScript engine.
How Adobe Reader handles external application calls
(Screenshot by Chris Duckett/ZDNet Australia)
So "safe reading" has a bit to go before it's really safe.