Are PDFs dangerous?

[Brumby]

Extracted from a thread that was not about PDFs......

It's generally better to just post images. People are generally suspicious of PDFs.

... ... ... ...

I made them pdf, since I thought that format is available for most people.
 
... ... ... ... ... ... ... ...

I made them pdf, since I thought that format is available for most people.

Yeah, I certainly do not agree that “people are generally suspicious of PDFs”.

That said, because of how the forum software handles PDFs, they’re super annoying on iOS, because it wants them to download into a PDF viewer app, rather than displaying them in Safari. So images like JPEG, PNG, and GIF are nice for us who like to browse on iPad, since they just show up without fuss. (The forum admins don’t seem to care about this, they similarly have ignored repeated requests to add the .jpeg file extension, which is what iOS uses when uploading images.)

There are pdf exploits. One of many pages about this topic.

There are pdf exploits. One of many pages about this topic.

The existence of exploits isn't under dispute. What I dispute, vehemently, is your claim that "People are generally suspicious of PDFs."

No, they aren't.

One might argue that they should be, but they certainly are not. Some people (a tiny percentage) are suspicious, but not a majority as you are claiming.

[helius]

Adobe Acrobat has a history of a number of security problems. From what I have seen, this isn't the case with other PDF readers like Preview or Ghostscript.

[Ian.M]

Yes - IMHO you are crazy if you open untrusted PDFs in Adobe Acrobat Reader unless its locked down to remove all multimedia and scripting capabilities.    Adobe's Javascript implementation has a very poor security record.   Other readers that don't support Javascript are generally a safer choice, but even so you should probably use a sandbox.

[Cliff Matthews]

AFAIK, non-Adobe PDF readers can read PDF standardized doc. versions up to 1.6 and that's more than enough for text and graphics exchange with links (but hover and read where they take you..). More info here: https://www.prepressure.com/pdf/basics/version and of course wikipedia: https://en.wikipedia.org/wiki/Portable_Document_Format#History_and_standardization

FWIW, I've used this reader for years (it allows some editing) https://www.tracker-software.com/product/pdf-xchange-viewer

[Mechatrommer]

Adobe Acrobat has a history of a number of security problems.

what (descent) software has no security history problem? about the topic... my advice, install antivirus and update virus definition daily. exes are not safe dont run any program, stay in the cave is much safer. if you can suggest one file format that care share pictures and text without changing formatting on different PC, free reader SW, other programs support exporting greater acceptance etc, then name it, we will be happy to use it.

[agehall]

Well, just having antivirus doesn't protect you as that is always a cat&mouse game and unfortunately, the antivirus definitions will always lag. PDF exploits can be extremely nasty and you are smart if you are cautious before opening unknown PDFs.

[paulca]

Anti-virus is ransom ware with Microsoft and the big AV companies are the mafia.

It is perfectly possible to make Windows work much better against viri but if MS did so all those AV companies would go out of business.  So there is undoubtedly a relationship between them that keep windows susceptible to Viri and I wouldn't put it past the origin of a lot of viri is actually the AV companies themselves.

Conspiracy theories aside.  I currently work in a bank under very high IT security, you can't even use a flash drive and all internet access is proxied.  Yet we have Adobe Acrobat installed and can open PDFs.  I expect however that the version will have been choosen very carefully.

At home I use Linux, so it's either Okular or anyone of the Ghostscript based solutions, that or Chrome's built in PDF viewer, which currently has a kerning bug which makes reading datasheets really difficult.

[Gyro]

I use SumatraPDF with the sumatrapdfrestrict.ini file locked down to prevent weblinks, mailto etc.

[agehall]

I use SumatraPDF with the sumatrapdfrestrict.ini file locked down to prevent weblinks, mailto etc.

It's not really the weblinks or the mailto-links you need to worry about. It's the javascript stuff that is the real danger.

[bd139]

I use Chrome to read PDFs. Why have just Adobe's holes when you can have a browser's holes and a PDF engine written in JavaScript! 

The problem is that  PDFs are a superset of Postscript which is a programming language. Your PDF is a program. And that comes with all the associated problems with downloading untrusted software.

[Mechatrommer]

It's not really the weblinks or the mailto-links you need to worry about. It's the javascript stuff that is the real danger.

disable javascript in the setting.

It is perfectly possible to make Windows work much better against viri but if MS did so all those AV companies would go out of business...

dont you ever suggest monopolization like that. if MS embed AV in Windows, the price can go up and the MsAV can go crap and alot laggy, a well known Ms traits, more powerfull computer but crappy OS performance. thats why some people still prefer to stick in WinXP.

Well, just having antivirus doesn't protect you as that is always a cat&mouse game and unfortunately, the antivirus definitions will always lag. PDF exploits can be extremely nasty and you are smart if you are cautious before opening unknown PDFs.

the cat will wait at the hole if mouse comes in it will never make it. Windows API has some sort of "interrupt" to tell applications like AV when a file is stored in the HDD or some network backdoor is opened. scan will be conducted immediately and goes to chest or blocked if found guilty, i used Avast, no laggy transparent in background like crystal water. if AV fails, no worry we have a format and restore button everything will be like a newborn i used AOMEI Backupper for this, and a hidden OS somewhere. but very seldomly used, only like 2-3 years once. this is also good to get rid of junk files accumulated during the years and spaghetti registry due to too many installs uninstalls. if a virus ever survived a format, such as stored in BIOS, then it should not be the pdf or the virus makers to be blamed.

[Mr. Scram]

I understand people love to hate Microsoft, but Windows Defender seems to score quite well nowadays. Few third party suites can beat it. It used to be utter rubbish, but I have to admit it's actually more than just serviceable nowadays.

[bd139]

I understand people love to hate Microsoft, but Windows Defender seems to score quite well nowadays. Few third party suites can beat it. It used to be utter rubbish, but I have to admit it's actually more than just serviceable nowadays.

Windows Defender is dangerous and architecturally flawed. It is based on Security Essentials (same runtime engine):

https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5

Fundamentally it runs it's sandbox as a privileged user. If the sandbox fails, you can own the system in two minutes flat. It doesn't even require the user to initiate the attack as everything coming in hits that sandbox. Just the very presence of something arriving in your mailbox can break your system.

[Cliff Matthews]

There's well known NPO labs already providing solid AV facts for the enquiring. Eg:  https://www.av-comparatives.org/

[Mr. Scram]

Windows Defender is dangerous and architecturally flawed. It is based on Security Essentials (same runtime engine):

https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5

Fundamentally it runs it's sandbox as a privileged user. If the sandbox fails, you can own the system in two minutes flat. It doesn't even require the user to initiate the attack as everything coming in hits that sandbox. Just the very presence of something arriving in your mailbox can break your system.

Looks like that was patched, though I'm a bit wary of calling it fixed just on that basis.

Regardless, compared to the competition it fares quite well when you throw real world stuff at it. I get what you're saying, but I'm not sure an architectural edge is beneficial if your system is compromised because brand X didn't stop a regular infection in time.

[bd139]

Running everything that comes in via a privileged process basically nullifies the advantages.

Then again Kaspersky is well known for suddenly finding tcpip.sys contains a virus and then taking out whole companies.

It's all shit and we have to swim in it.

[TheUnnamedNewbie]

I understand people love to hate Microsoft, but Windows Defender seems to score quite well nowadays. Few third party suites can beat it. It used to be utter rubbish, but I have to admit it's actually more than just serviceable nowadays.

I've been running only defender for years on all my main systems. I run scans with third party software every now and then and they never seemed to detect something. The old security essentials was not worth much, but defender seems like a nice tool that does the job and is seamlessly integrated into windows.

Regarding PDFs: I am not using Adobe Acrobat, and mainly use drawboard and PDFXchange. Both are a non-free (as in you pay for it, I don't know/care about the software license). Drawboard is great on my surface due to the writing options.

[Gyro]

I use SumatraPDF with the sumatrapdfrestrict.ini file locked down to prevent weblinks, mailto etc.

It's not really the weblinks or the mailto-links you need to worry about. It's the javascript stuff that is the real danger.

I'm already safe there. Sumatra doesn't support Javascript at all.   

[tooki]

The problem is that  PDFs are a superset of Postscript which is a programming language. Your PDF is a program. And that comes with all the associated problems with downloading untrusted software.

You have that exactly backwards. PostScript is indeed a full programming language (and yes, there were demos of PostScript applications running on laser printers, using the printed page for output). But as originally conceived, PDF is a subset of PostScript that cannot execute code -- the PDF file contains only the declarative PDF graphics commands, embedded fonts and graphics, and in later versions, the bolted-on interactivity.

Long after inventing PDF, Adobe added JavaScript to it to give it interactive capabilities like forms.

Most PDF vulnerabilities are either: JavaScript that is set to execute on launch; "normal" exploits of a rendering engine (buffer overflows, etc); or trivial JavaScript vulnerabilities like "bad" email addresses and links.

In a nutshell, a PDF can contain executable JavaScript. But the graphics commands themselves are purely declarative graphics drawing commands. A non-interactive (and non-infected) PDF contains no executable code.