Home » General News, PDF Reader, PDF Security, Windows 7

Security researcher argues for built-in PDF viewer in Windows

10 May 2010 | | 5 Comments

Sean Sullivan, a security advisor for Finnish anti-virus vendor F-Secure, recently said that Microsoft should include a basic PDF viewer in Windows to help protect users from PDF attacks.

Sean took an example of Apple which provides Preview, its PDF viewer, included in Apple Mac OS for users to view and read PDFs. A basic built-in PDF reader will meet usual user needs for opening, and reading PDFs while avoiding any exploitation of advanced PDF functions such as JavaScript and support for Launching embedded content. Recently, there has been a huge rise in PDF attacks where the security has been compromised through malicious embedded content.

MS Office cannot open PDFs without the help of third-party software or add-ons. Also, the preview feature in Windows 7 and Windows Vista won’t display PDFs. However, Microsoft has promoted a substitute for PDF through an XPS viewer bundled with Windows 7 but this had little success.

Sean argued this case in late April through his post on F-Secure security blog which can be read at http://www.f-secure.com/weblog/archives/00001943.html.

The news appeared at http://www.computerworld.com/s/article/9176223/Windows_needs_a_built_in_PDF_viewer_argues_researcher in early May.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

5 Comments »

  • Nick De Roeck said:

    Sean Sullivan argues that this viewer can also be a separate download, but why not download Adobe Reader then?

    Isn’t this asking Microsoft to fix the mess Adobe made with PDF?
    And in one go, opening yet another front for Microsoft where they will need to defend against accusations of being the big bad gorilla crushing innovation?

    Apple’s PDF viewer is indeed an incredibly useful application, but it’s not like they are getting a lot of big gratitude from Adobe, if you’re following the Adobe evangelists, they take every opportunity to take a stab at Apple’s app.

    Fact of the matter is: PDF is broken. Becoming a jack of all trades, master at none.

  • Rowan Hanna said:

    Why does Windows include an application that lets you preview JPG, BMP, TIFF, PNG, etc, images?

    PDF is just as ubiquitous as TIFF files (and other image formats) these days and yet if you want to view them on Windows, you have to download a separate app. Whereas on Mac OSX and a lot of Linux distros, a basic built-in PDF viewer is included by default.

    With regards to the security exploit, there is no “mess” that needs to be cleaned up. Simply put, there are countless ways that security exploits can make it onto your computer. Using your definition of a “mess” you could argue against using USB drives, floppy disks or even the Internet because all of these mediums can be used to transport security exploits onto your computer.

    JavaScript is just one small feature of PDF and is mostly irrelevant to the majority of users — they won’t even notice if they’re using a PDF viewer that doesn’t support it.

    Getting back to Sullivan’s point, if you use a PDF viewer on your computer that does not support JavaScript (or allows you to work without JavaScript support enabled), then there is no security exploit. The same thing can’t be said for removing the possibility of exploits from other Windows applications, such as Microsoft Word.

    If Microsoft were to introduce a basic PDF viewer for Windows (similar to the Preview feature in Mac OSX) then it would be a win-win situation for Windows users. They would no longer need to download a separate app and they wouldn’t be exposed to this security exploit.

  • Karl De Abrew (author) said:

    Actually — exhibit A in this case would be the built-in Gmail PDF viewer — I almost never download a PDF file within gmail when I’m looking for a quick read/heads up….

  • Rowan Hanna said:

    That’s a great point — I rarely download a PDF that I receive via email before I have viewed it in Gmail’s PDF viewer. It much quicker to open the PDF via Gmail instead of downloading it and then waiting for a PDF viewer to launch.

    This would help skip over the security issue as well. If Gmail can hvae a PDF viewer, why can’t Windows??

  • Nick De Roeck said:

    The mess I’m referring too is the leaky abstraction that Adobe has created around the concept ‘document’ with PDF.

    PDF contains Javascript (and actions), so one has to assume that a PDF can contain it. It doesn’t matter if this only a small part of the spec.

    From a security standpoint receiving a PDF is becoming equivalent to receiving an application – which is a big difference. Relaying on the goodness of a ‘well behaving client app’ isn’t also that great.

    The Google solution is a good one, albeit an ironic one.
    It keeps the document outside, and turns the PDF back into a ‘safe’ static document that displays in your browser.

Leave your response!

You must be logged in to post a comment.