Monday, June 01, 2009
Has PDF failed as a preferred document distribution format?
Has PDF failed as a preferred document distribution format?
Yes.
No.
MP3, JPG and PNG are examples of equally ubiquitous formats that suffer less exploits.
The PDF format allows Javascript payloads that execute when attempting to view the file, this can be put to use as a formidable vector for exploit code.
PDF v1.8 viewers even contain a virtual machine to run flash programs.
From the e-security perspective, a 'vanilla' PDF document should be treated as an unknown application.
What to do?
Stop using 'plain' PDF, enforce a sub standard like PDF/A, PDF/X or other from the rich PDF patchwork.
Check out alternatives: XPS is a format that keeps behaving like a (fixed) document under all circumstances. ¶ 17:56
Yes.
It shows that PDF is ubiquitous and important enough that the bad guys see it as worthwhile to target
No.
MP3, JPG and PNG are examples of equally ubiquitous formats that suffer less exploits.
The PDF format allows Javascript payloads that execute when attempting to view the file, this can be put to use as a formidable vector for exploit code.
PDF v1.8 viewers even contain a virtual machine to run flash programs.
From the e-security perspective, a 'vanilla' PDF document should be treated as an unknown application.
What to do?
Stop using 'plain' PDF, enforce a sub standard like PDF/A, PDF/X or other from the rich PDF patchwork.
Check out alternatives: XPS is a format that keeps behaving like a (fixed) document under all circumstances. ¶ 17:56
