Hacker News new | past | comments | ask | show | jobs | submit login

Adobe exploits are still a thing. I regularly get emails from silicon valley investors asking for me to open their pdf file which contains their propsal...I chuckle everytime at that line, THERES SIMPLY NO WAY IM GOING TO OPEN A PDF or visit a site with Flash turned on in 2016.



Is the PDF format itself broken, or just the awful Adobe Reader? There are dozens of PDF reader implementations, including all the major browsers. I cannot imagine they are all exploitable in the same way.


Early PDF was quite sane. It was the Postscript imaging model turned into a binary bytecode format with almost all the programmability features removed.

Later on it got wonky (though never even close to the extent to which Flash did!) with all the hypertextification features. But basic PDF is actually one of the Great File Formats in computer history.


Hypertextification features? Ha!

Try 3D model viewer: https://youtu.be/n8KgxaNYRe4?t=27


The sane version is the one defined as the PDF/A ISO standard. Stuff like pulling remote resources, embedding executable code, etc are all forbidden.

https://en.wikipedia.org/wiki/PDF/A


I didn't realize that this standard existed. Thanks for the link, that's very helpful to know. I've always viewed "modern PDF" as an ad hoc thing defined by the intersection of whatever was supported by the popular free renderers.


the javascript stuff made me nuts when i was working on a save as pdf project.


The standard is 1000 pages long. Most reader implementations are written in C/C++.

They are of course exploitable in different ways.

Adobe sometimes does not follow its own spec.

People publishing PDFs sometimes use that non-standard behavior to display some graphics. This is especially true with many research papers that only render on Adobe Reader.


In particular, other viewers often display zero-width lines, which is annoying for colormaps. Those can't safely be saved as bitmaps without oversampling either, as not all viewers can be made to avoid interpolating.


The PDF format is unbelievably complex, far more than is necessary for the average sales brochure or report.

Given that nearly all reader implementations are written in C/C++, it's always going to be an easy target. Sandboxing hash helped a lot, but there's just a lot to go wrong and always will be.


Most browsers have a sandboxed pdf reader implementation. What are you afraid of?


They are much better in my opinion, but not perfect. Last year there was a pdf.js vulnerability: https://blog.mozilla.org/security/2015/08/06/firefox-exploit...


Browsers are not perfect and have vulnerabilities too sometimes. And operating systems..


That's why I'm on Chrome, because it's sandboxed. In November we'll be celebrating 10th anniversary of lagging behind IE if electrolysis isn't integrated into Firefox stable builds.


Why not open it in firefox with pdfjs?

PDF is still the single best/easiest format to use to render some things.


I have on few occasions seen PDF files where the text looked horrible in pdfjs. All in all, it's very useful, though, to quickly look at a PDF before saving it.

For regular use, I have come to really like SumatraPDF on Windows, it is relatively lightweight can be used without an explicit installation (hence no admin privileges are required to get it to work), and most importantly, it saves the position on opened PDF files, so if I open a file again later, I am back right where I stopped reading.


Do you only accept plain text?


You are depriving yourself of a lot of information by avoiding files based solely on file extension (most academic papers are in PDF format, for example). Avoiding Flash, on the other hand, I completely understand.


I am happy to run some exe on my machine. I would never run an exe I have received by email. Not sure I get your point.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: