Slashdot Mirror
PDF Virus Spotted
Jethro73 writes: "Adobe's popular PDF file format [...] has generally been considered immune to viruses. But a new virus carried by programs embedded in PDF files raises concerns that the format itself could become susceptible. Read about it here and at coderz.net."
Adobe has a "monopoly" too, walled off by patents ... it's just that it's on PostScript and PDF so it isn't as noticeable. They're going to get more agressive defending it too.
My other posts explain it all ;-)
- have an immediately viewable, printable representation of any archived document, accessible to whoever we want it to be over the web, and
- have almost instant access to the native application files that created the document, in case a file must be modified or updated. Like the Pagemaker file, graphic images and fonts.
The feature really functions not much differently than, say, using WinZip to compress files into an self-extracting archive. Decompress anBut really, it shouldn't be that difficult for Adobe to put a little option on the feature to disable vbs access, should it? As far as I can tell, there's absolutely no vbs out there that should need a viewable, printable PDF mother file.
--Any sufficiently reliable magic is indistinguishable from technology.
While you are correct in stating that adding VBscript and other such extensions to PDF is stupid, the PDF format was explicity designed with the idea of users being able to view documents in addition to printing them.
PDF was designed as a method for users to share documents without requiring them to all have the software that created the documents. They took a subset of the postscript language and modified it to improve portability (such as font handling), remove some of the printer-specific bits of Postscript, and add features that may be desirable for portable documents (like encryption, for-handling, etc). Yes, the ability to print it correctly was important, but so was on-screen viewing.
That they did a piss-poor job of on-screen previewing (as anyone that uses bitmap fonts in TeX will attest to) in Acrobat notwithstanding, they design it for both viewing and printing.
There's a CNet story on the same news piece here: http://news.cnet.com/news/0-1003-200-6808673.html? tag=mainstry
From the article: "The virus spreads only by way of Adobe's Acrobat software--the program used to create PDF documents--not through Acrobat Reader, the free program that is used to view the files"
I don't own Acrobat, and I never will. I have other ways of creating PDFs which are cheaper. Most people don't have Acrobat. Most never will. This virus, thus, can't get far.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
Many, many forms, both in government and business require that the exact layout be used on all copies. The layout is chosen to meet accessibility regulations, etc. That part is non-negotiable. So, these forms traditionally are printed out and available by mail, or in person. Then Adobe comes up with PDF. This electronic file that retains the exact printed layout and can be downloaded or placed on CD-ROM. So, some agencies start using it. Folks download the file, print it out and send it in. Ahh, but some of those folks filling it out have incredibly illegible handwriting. Adobe, will you please make it so our forms can be filled out with typewritten information by our users before they print it? Sure. Adobe Acrobat forms are born. Then the agencies start to notice that when the form requires the same information in several different places, people are mistyping it in one or more. Hence the Javascript in PDF.
Throughout all of this, the data is NEVER sent to any server at all. The agency is still requiring a printed copy of the filled out form. Keep in mind that in many cases, these forms are published by a government agency to be submitted to folks other than the agency itself. Prime example: the US W-4 form for income tax deductions from a paycheck. The form is submitted to the employer. The IRS makes up the PDF form and you fill it out and give it to your employer. The IRS isn't involved other than providing the proper form.
As far as having built a Javascript 'application', yes I have. Not relevant to the discussion. The original post attacked not the implementation, but the very idea of Javascript in PDF. Your attack on Javascript has to do with a poor implementation in Javascript. I don't care what scripting language is used, the concept is valid and that's what I was defending.
Improper implementations of a concept do NOT invalidate the concept itself. The concept must be evaluated on it's own merits.
The Glass is Too Big: My Take on Things
As far as Javascript in PDF not manipulating the PDF itself, I quote from Adobe's docs on Acrobat Forms Document Model,
The Glass is Too Big: My Take on Things
In terms of linguistics, which is concerned with actual usage rather than "proper" usage (it's descriptive rather than prescriptive), writing "virii" is just fine. Why? Because people do it. Oversimplification of linguistic rules from other languages when applying them to words from that language is a common linguistic phenomenon which can be seen, for example, in modern French as it relates to Latin. After all, if we don't speak Latin, how can we be expected to decline Latin nouns properly? In fact, classical Latin was never a household language, it was always a construct of grammaticians that came into being under the influence of Greek writing and had little to do with everyday usage. On the other hand, we should always feel perfectly free to anglicize foreign words, it's perfectly acceptable and often makes us better understood. My main point is that we shouldn't argue over such points of language in terms of who's right and who's wrong, because any word in common usage is inherently correct. That includes "ain't." (But I still like reading about the actual Latin declension of "virus.")