Sunday, May 16, 2010

PDFs are the devil.

This isn't new, but a lot of folks don't seem to realize just how bad PDFs are.  Remember when we told people to send us PDFs instead of Word documents because we thought PDFs were "safe"?  Boy, were we wrong.  OK, we weren't wrong, but times (and threats) have certainly changed.  Now, with the XML-based Office file formats and the proliferation of PDF malware, I'm much more leery of PDFs than DOCX files.  The PDF specs are part of the problem, and the implementations of PDF readers are another part of the problem- the specs allow for things like embedded executables, and the implementations are buggy.  If you haven't read about these issues, check out the articles below:

http://www.f-secure.com/weblog/archives/00001903.html

http://www.f-secure.com/weblog/archives/00001923.html

http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/

Some have suggested disabling JavaScript in your PDF reader, but that doesn't resolve all of the issues.  I don't have a perfect solution, but I do have a suggestion, one that I've adopted- it is far from perfect, (it is slow and lacks features), but it works to add a layer of protection when viewing PDFs online.  Gpdf can be deployed to your browsers (Google Chrome and Mozilla FireFox only), it will open PDFs in Google Docs, this moves rendering to Google's servers and adds a big layer of protection to your browser.  Information and installation instructions are available from http://blog.arpitnext.com/gpdf.  Google docs rewrites PDFs on the fly, and adds a significant layer of protection.  Now don't be naive, Google rewrites the PDF so they can see what you are reading, and any anti-malware systems they use are to protect their servers, not you- they are Google, after all.

As I said, Gpdf is not perfect, but it is a step forward.  Which is the right direction.

 

Jack