Comments on: PDF Security – Avoiding Exploits

By: Steve RJ

Steve RJ — Mon, 17 Nov 2008 23:28:07 +0000

Early versions of Foxit reader did not support javascript. I know this because our company tested LockLizard viewer for secure PDF files, which we were told was based on the Foxit version 1 SDK, and javascript is not supported. In fact all active content is prevented from loading, but it only works with LockLizard protected PDF files. I guess we are back to the age old question of security vs usability…

By: Joel

Joel — Mon, 10 Nov 2008 21:22:42 +0000

Even the exploit doesn’t affect Adobe Reader version 9 is good to disable JavaScript just in case. About FoxReader there must be a way to disable JavaScript also or at least another version that covers this hole.

By: John Kirkham

John Kirkham — Sat, 08 Nov 2008 06:44:26 +0000

Same as SAP said but I thought this problem was only tested & found in Foxit first up in the last week.

By: SAP

SAP — Fri, 07 Nov 2008 14:38:12 +0000

I’ve just noticed that the Net Security article cited in the article specifically says that the Adobe Reader bug is the same as the previously discovered bug in FoxIt.

Foxit *was* affected by the bug (CVE-2008-1104), but it was fixed some time ago.

So presumably Foxit Reader does support Javascript.

Though it is much smaller and quicker to load than Adobese Reader.

By: SAP

SAP — Fri, 07 Nov 2008 14:23:22 +0000

I have seen a PDF file containing some forms to fill in.

There was some scripting involved which checked that the appropriate fields had been completed. Perhaps that is what Javascript is for.

One advantage of using JS rather than inventing a new scripting language is that people don’t need to learn a new language.

However, JS *should* have been added in such a way that it could only be used to affect elements within the PDF.