It is astonishing that software that was created to present documents in a "neutral format", Adobe Acrobat, can be hacked. Another case of taking a great product and adding features that eventually take the software far beyond the original architecture and creating security vulnerabilities.
Why is JavaScript even an option in PDF files? PDF files were suppossed to be the safe alternative to documents that you might receive in formats such as Word. I guess that has gone by the wayside.
Here is the link to Adobe's update site.
US-CERT has more detail about the vulnerabilities and other workarounds and protection methods on their web site.
When PDF was updated back in 1996 (Acrobat 4, PDF 1.3) to incorporate the functionality of rich interactive forms (ala HTML forms) the need to incorporate a programming language that would enable the inclusion of business rules was needed. In keeping with the language of the web, we choose JavaScript.
ReplyDeleteLeonard Rosenthol
PDF Standards Architect
Adobe Systems
Thanks for the clarification. Clearly, there is a tradeoff in many software products between features and security. What are you thoughts about two formats: a PDf file that cannot be modified and a PDF-Forms that could be modified?
ReplyDelete