Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Are PDF parsers really so bad nowadays (this article is over 10 years old), that opening a PDF opens you up to vulnerabilities?

The author made this seem like such a fundamental issue. Is that because PDFs natively have support for say executing code (i doubt) or accessing the filesystem (i doubt), etc...



> Are PDF parsers really so bad nowadays (this article is over 10 years old), that opening a PDF opens you up to vulnerabilities?

Yep, here’s an Acrobat Reader release from two days ago that fixes two arbitrary code execution vulnerabilities since the previous one two months ago: https://helpx.adobe.com/security/products/acrobat/apsb24-92....

I haven’t looked into browser-embedded PDF viewers enough to know how they compare to other software – they’re definitely much safer than Acrobat and still not completely safe (e.g. CVE-2023-1530 in Chrome wasn’t that long ago) – but I would expect them to be at least as safe as other browser functionality.

> Is that because PDFs natively have support for say executing code (i doubt)

They do (https://helpx.adobe.com/ca/acrobat/using/applying-actions-sc..., including “Run a JavaScript”, although that has to be enabled), but indeed that’s not the one fundamental issue; it’s usually just standard vulnerabilities of memory unsafety or terrible design (XML).


Yeah, avoiding Adobe software is probably a mandatory first step in this context.

If I remember correctly Google bought a source code license from some Aussie company (?) for rendering PDFs in Chrome. That was like a decade ago though. I wonder what happened since. Probably lots.


Google bought a license from Foxit, a Chinese company. They've open sourced it since. Mozilla wrote their own and also open sourced it, PDF.js


I do believe Foxit didn't present itself as a Chinese company at the time. Not sure where I got the Aussie thing from. They do and/or did have a Melbourne office. Perhaps its address was used for marketing purposes at the time.

https://web.archive.org/web/20140529210328/http://www.foxits...

> Founded in 2001, Foxit is a leading software provider of solutions for reading, editing, creating, organizing, and securing PDF documents. Headquartered in Fremont, CA, USA, Foxit has operations worldwide in China, Belgium, Japan, and Taiwan


There's more details in the wikipedia talk page: https://en.wikipedia.org/wiki/Talk:Foxit_Software

seems like most of their presence was in china, and was domiciled in china, but they had sales "offices" in other countries and so they emphasized that part for better PR.


PDFs support JavaScript. Here's Adobe's guide on how to add JS to your PDFs: https://helpx.adobe.com/uk/acrobat/using/applying-actions-sc...


It might be in the PDF spec, but most viewers won't run JS.


The most widely ones run JS. And the majority of pdf exploits are not js, but a wide mix over all the things a pdf reader supports.

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Acrobat




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: