dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1537
share rss forum feed

slajoh01

join:2005-04-23

Adobe Reader display PDF in Browser?

I was just wondering if this is a security concern if I have Adobe Reader 11 set to enable to view PDF in browser? Im running IE 8.

Thanks


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
Good question. I don't have PDF viewing in my browser enabled (they're automatically downloaded and saved when I click on them). I know my A/V software scans all downloads. What I'm not sure of is if this occurs when viewing in a browser. I suspect so but that probably depends on your A/V.
--
Don't feed trolls--it only makes them grow!


K McAleavey
Premium
join:2003-11-12
Voorheesville, NY
Reviews:
·Verizon Online DSL

1 recommendation

Downloads of PDF's go to your /tmp folder and are completed as a download before the plugin can load and show them. Same with Flash content although Flash these days does a trick to open a file handle and then immediately close it so that you can't copy the content. But since AV's are at kernel level in the file chain, they can still "see" it and use the (now closed) file handle.

So, as long as malware has a signature in the database, your AV will "see" it.
--
Kevin McAleavey, now with the KNOS Project.


norwegian
Premium
join:2005-02-15
Outback
reply to slajoh01

Also if you want to use the browser plug in, make sure you turn off javascript. I've never had a page I've loaded affected by it being turned off.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

2 edits
reply to slajoh01
How come a quick Google search warns against opening PDF in the browser if your AV catches malware as it is downloaded?

That's hogwash I think. I know for a fact my AV on my XP computer doesn't scan a download on Fx as I HATE that and I disable that. I don't think SeaMonkey has the ability nor does Opera. ADS is deposited if you allow the Fx + IE marriage (which allows the scanning on download) which I always delete on any downloaded file as ADS can contain malware. On XP, that scanning by your AV on download on Fx, causes a lot of problems if you want to move the file, etc. as you get a warning that the file came from a suspect computer when really it is the IE zone ID that Mozilla decided to marry and use also that is causing that message.

I believe correct safe hex is to download a PDF to disk and then scan with your AV (right click scan) and then open it DIRECTLY IN THE PDF READER not in the browser. I have ALWAYS done this over 13 years now and never gotten infected. Plus, don't use Adobe Reader. Probably the safest PDF reader is Evince which is a Linux reader ported to Windows. I like it better than any other PDF reader and I have tried most of them. I don't know if it works on Windows 8 without any problems. I need to install it and see.

Evince doesn't mention Windows 8 compatibility, but I just installed it and downloaded to disk two PDF files. One of them is a form I filled out using XP Pro two days ago. I had problems with certain fields that I couldn't fill in using the keyboard and had to fill in after I printed the form. With Windows 8, I had no problems filling in the form using the keyboard.

»live.gnome.org/Evince/Downloads
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


norwegian
Premium
join:2005-02-15
Outback
The safest way is to download it and then scan, with everything period not just PDF files.

I'm sure hashes would be required for anyone serious enough to check authenticity of the file too, possibly certs may come into play for companies that require such stringent rules, but home users wouldn't even really warrant such concerns.
However for trusted sites and the pdf files, opening in a browser is fine, as long as the pdf reader's settings for javascript are turned off.

Generally speaking pdf's from trusted sites won't contain exploits, and if the pdf reader is up to date then you lower further exploit risks and if you are using a limited user in the O/S, then the risk is lowered even more with the restricted privileges also helping block exploits.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
I don't see any javascript settings for Evince. Evince seldom, and I mean SELDOM, updates but why would exploits be written for a Linux PDF reader ported to Windows anyway? The malware writers write for the ignorant of computers users. Those users USED TO get Adobe PDF reader already installed on a new computer and malware writers knew this. This is no longer true. This new computer came with NO PDF reader and NO antivirus software. So, maybe things will change now that users will be forced to download and install a PDF reader and maybe they will actually download something other than Adobe one.

If I wanted to open PDF in a browser, I would just use Mozilla's PDF reader that opens PDF in Fx.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

slajoh01

join:2005-04-23

1 recommendation

DOwnloading PDFs to the HDD first is good measure of security, but its also annoying to me to have it open up within the browser esp. in IE.

Adobe Reader 11 removed this setting from the Preferences settings and now u have to go to the Manage Add-Ons under IE and then select Run Without Permission then select Adobe Reader PDF and then Disable it.

I have no clue whatsover as to why they made it this complicated to disable the Open PDF in Browser setting...Well...I shouldnt say complicated, but hidden....so "not so tech savy" are not able to locate it. Unless they Google it.

OZO
Premium
join:2003-01-17
kudos:2

1 recommendation

reply to Mele20
said by Mele20:

I don't see any javascript settings for Evince.

Perhaps it's because it doesn't support it in the first place. JS was added later on by Adobe to add (IMHO, completely unnecessary) activity into document files, introducing a lot of vulnerabilities along the way...

I have to add, that I concur with this point:
said by norwegian:

However for trusted sites and the pdf files, opening in a browser is fine, as long as the pdf reader's settings for javascript are turned off.

In both cases PDF file is downloaded to your computer first and then is opened. Two steps process (when you open it manually) allows you to choose a different PDF readier, while one step process uses default PDF reader via DDE mechanism, making it a bit more convenient for users.

So, answering the OP question - security depends on your default PDF reader, its settings (JS in particular) and your browsing habits (are you a fast-clicker or not).
--
Keep it simple, it'll become complex by itself...


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
Click for full size
Adobe Reader JS settings
said by OZO:

JS was added later on by Adobe to add (IMHO, completely unnecessary) activity into document files, introducing a lot of vulnerabilities along the way...

FYI you can disable Javascript in Adobe Reader/Acrobat. Can't say I've ever come across a (PDF) document that needed it.
--
Don't feed trolls--it only makes them grow!