Slashdot Mirror
PDF Exploits On the Rise
An anonymous reader writes "According to the TrustedSource Blog, malware authors increasingly target PDF files as an infection vector. Keep your browser plugins updated. From the article: 'The Portable Document Format (PDF) is one of the file formats of choice commonly used in today's enterprises, since it's widely deployed across different operating systems. But on a down-side this format has also known vulnerabilites which are exploited in the wild. Secure Computing's Anti-Malware Research Labs spotted a new and yet unknown exploit toolkit which exclusively targets Adobe's PDF format.'"
Use the Sumatra PDF Reader. It is a very lightweight reader. Since it doesn't have all the other useless bloat crap that Adobe's reader has, I'm sure it is a lot less vulnerable. It is also open source, so you don't have to rely on downloading an even more bloated version of Acrobat Reader to fix the exploits.
http://blog.kowalczyk.info/software/sumatrapdf/
I have this installed on all of the PCs here at the office. It has eliminated just about all of the issues i had with the adobe crapware.
There is a free .docx, .pptx,. xlsx, etc. format plug-in to do that.
I've been using Foxit exclusively for some time now.
There's nothing about Adobe Reader that I miss. Foxit seems to handle everything I come across just fine. And it's way faster and never crashes. Adobe Reader seemed to crash on me all the time on multiple machines.
On the contrary, PDF is (originally) a subset of PS plus the ability to embed fonts into the document, apply some overall compression where sensible, and stitch everything together into one carrier.
And while it is true that the past knows about "PS bombs" which e.g. will render your printer useless cause its interpreter is stuck in a loop (after all, PS is a Turing-capable programming language opening all sorts of fun if your idea of fun are stack-oriented languages), the problem with current PDF exploits comes from the fact that this format gets increasingly overloaded.
I can see why one would love to see Javascript and embedding all kinds of multimedia stuff within PDF. Would bring PDF on par with Powerpoint with respect to animations etc. -- which wouldn't be the worst thing for me, cause I love doing slides with PDFtex and beamer, and Adobe of course would like to present their format as a vital alternative to those nasty office formats.
But it also adds complexity. Instead of a simple postscript renderer you end up with a gazillion of helper libraries, bringing in their very own bugs.
There are alternatives for Windows as well that are better than the "official" reader.
Specifically Sumatra PDF and Foxit Reader are alternative PDF readers for Windows.
They are both orders-of-magnitude faster than Adobe Acrobat. Part of the reason for this speed boost is that they don't implement the hundreds of plug-ins that Acrobat supports. But frankly for >99% of the PDFs you encounter, those additional plug-ins are not required. (In the rare case where a PDF needs one of those features, I guess you can load up Acrobat.)
In addition to a speed advantage, using an alternate PDF reader is probably more secure. Both because it is less well-known (fewer exploits tailored to it), and because they don't implement those hundreds of plug-ins (some of which enable certain kinds of code execution).
For Windows the best (and free/open source) tool I've found is PDFCreator. It installs a "printer" on your computer that outputs to PDF. Using PDFCreator, you can make a PDF in any application that allows you to print. Using some of the "advanced" features (not really advanced, but slightly more complex than Print->PDF), you can even combine multiple print-outs from different applications into a single PDF.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
I use Apple's Preview/display PDF. The only time I've needed to use Acrobat was for filling out IRS tax forms (Preview didn't save the data I entered).
Do you even lift?
These aren't the 'roids you're looking for.
I'll look into it, but the last time I tried the one for OS X it didn't work. It caused major problems with the formatting of the document, amongst other things. (And I have Office 2004 installed on my machine.)
Kpdf/Okular is great if you're running KDE as your desktop. With kde4, I think okular will eventually be available for windows as well. (I'm not sure on that...) The main advantage is that it's very quick to load and tightly integrated with Kdesktop. If you don't use kde, it has fewer advantages over the others.
You can annotate and review pdfs in okular just like you do in acroread. It doesn't have editing capability, but neither do the free versions of almost anything else, to my knowledge. (PDFedit is an exception, but it's too clunky for day-to-day use as a reader.)
Evince works flawlessly for me.
DRM: Terminator crops for your mind!
Not disagreeing here but you might like to know there is a common habit of disabling the loading of all the plugins in adobe. I forget how it is best done, but a cheap trick is renaming the plugin directory.
Actually, that only works for documents that you can view/edit in Open Office. For general purpose use, you can always opt for PDFCreator. We use it at our clients' offices, and have excellent results.
Aye, Foxit is really quick and it's a very good viewer. Okular in KDE is also very good rendering files, although it does lack a few features.
Your head a splode
Postscript can contain function calls and as such, is often marked as a potential scripting threat. Google, for example, refuses to send raw eps files as attachments.
A similar principle to Windows MetaFile, which is essentially a list of calls to the Windows graphics library ; several Windows exploits owe their birth to WMF calling unchecked functions in the graphics library.
Note that just because a file format doesn't contain function calls or scripting does not make it secure. A poor implementation of any file reader can be vulnerable to a well crafted file. But active content makes things much easier, because it's much harder to check for security.
CutePDF. It shows as a printer. Print to it, and you get a file save dialog asking where to put the PDF.
As a bonus, it uses GPL Ghostscript as it's backend.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Mac Firefox users can get a similar lightweight pdf plugin that uses the same libraries with this plugin.
...and the 80 megs of bloat is also a dealbreaker.
Foxit FTW.
I use kpdf, and it works great for almost all PDFs. The only problem I have with it is PDFs that have fillable forms; I haven't found an open-source PDF viewer that can do that yet, so I usually use Adobe Reader or some German-made closed-source program whose name escapes me at the moment (I believe it starts with "C").