Slashdot Mirror
PDF Virus Spotted
Jethro73 writes: "Adobe's popular PDF file format [...] has generally been considered immune to viruses. But a new virus carried by programs embedded in PDF files raises concerns that the format itself could become susceptible. Read about it here and at coderz.net."
While you are correct in stating that adding VBscript and other such extensions to PDF is stupid, the PDF format was explicity designed with the idea of users being able to view documents in addition to printing them.
PDF was designed as a method for users to share documents without requiring them to all have the software that created the documents. They took a subset of the postscript language and modified it to improve portability (such as font handling), remove some of the printer-specific bits of Postscript, and add features that may be desirable for portable documents (like encryption, for-handling, etc). Yes, the ability to print it correctly was important, but so was on-screen viewing.
That they did a piss-poor job of on-screen previewing (as anyone that uses bitmap fonts in TeX will attest to) in Acrobat notwithstanding, they design it for both viewing and printing.
There's a CNet story on the same news piece here: http://news.cnet.com/news/0-1003-200-6808673.html? tag=mainstry
From the article: "The virus spreads only by way of Adobe's Acrobat software--the program used to create PDF documents--not through Acrobat Reader, the free program that is used to view the files"
I don't own Acrobat, and I never will. I have other ways of creating PDFs which are cheaper. Most people don't have Acrobat. Most never will. This virus, thus, can't get far.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
Many, many forms, both in government and business require that the exact layout be used on all copies. The layout is chosen to meet accessibility regulations, etc. That part is non-negotiable. So, these forms traditionally are printed out and available by mail, or in person. Then Adobe comes up with PDF. This electronic file that retains the exact printed layout and can be downloaded or placed on CD-ROM. So, some agencies start using it. Folks download the file, print it out and send it in. Ahh, but some of those folks filling it out have incredibly illegible handwriting. Adobe, will you please make it so our forms can be filled out with typewritten information by our users before they print it? Sure. Adobe Acrobat forms are born. Then the agencies start to notice that when the form requires the same information in several different places, people are mistyping it in one or more. Hence the Javascript in PDF.
Throughout all of this, the data is NEVER sent to any server at all. The agency is still requiring a printed copy of the filled out form. Keep in mind that in many cases, these forms are published by a government agency to be submitted to folks other than the agency itself. Prime example: the US W-4 form for income tax deductions from a paycheck. The form is submitted to the employer. The IRS makes up the PDF form and you fill it out and give it to your employer. The IRS isn't involved other than providing the proper form.
As far as having built a Javascript 'application', yes I have. Not relevant to the discussion. The original post attacked not the implementation, but the very idea of Javascript in PDF. Your attack on Javascript has to do with a poor implementation in Javascript. I don't care what scripting language is used, the concept is valid and that's what I was defending.
Improper implementations of a concept do NOT invalidate the concept itself. The concept must be evaluated on it's own merits.
The Glass is Too Big: My Take on Things