Cheap Hack: Is PDF the New .DOC?

[dhilipkumar]

Cheap Hack: Is PDF the New .DOC?

In my column exploring the possibility of abandoning Adobe for other PDF viewers I note that the alternatives are not vulnerability-free.

We got another dose of that this morning, as Secunia found a new vulnerability in the Foxit Reader. "Foxit Reader JBIG2 Symbol Dictionary Processing Vulnerability" is not exactly the same as the recent Adobe Reader vulnerability that got me so upset, but they both deal with JBIG2 streams, a PDF data structure. This shows, if nothing else, that Secunia (and perhaps others) are researching these alternative viewers.

I searched Secunia's database for "JBIG2" and found a couple more entries: Several years ago they found multiple vulnerabilities in xpdf, a viewer for *NIX systems. And about a month ago they found a couple of denial-of-service errors in Poppler, an open-source PDF rendering library. The Foxit bug has been fixed, and an update is available.

All of this has me wondering if some of the problem is not just Adobe, but the PDF format. There are cases where a file or data format can have inherent problems making it difficult to secure; truly fixing the problems could cause such compatibility problems with existing users that it's not worth doing. This is why Microsoft created its new XML-based file formats for Office rather than "just fixing" the classic Office formats, based on OLE2 Structured Storage.

Was Microsoft successful? Yes and no. Office 2007 has had very few vulnerabilities, and most, if not all of them (including a current 0-day bug) are in support of the old file formats. But the success has been muddied somewhat by slow uptake of Office 2007 because of radical UI changes. Mostly I'd say yes, it was important for them to make the change and it was successful in that regard, but old Office formats won't go away soon.

There's no good lesson to learn here for Adobe; it's not like it can get away with making a "PD2" format incompatible with PDF, just a few months after the PDF format was released as an ISO standard. That's just more reason to worry though. The next few months could show whether things will get better or worse.