Security → 'Better than Adobe' Foxit PDF plugin hit by worse-than-Adobe

... 0-day

New security hole: How an evil URL will ruin your day..."

»www.theregister.co.uk/20 ··· in_vuln/

Perfect example of why I no longer use browser plug-ins to open files within a browser when I can avoid it. Foxit doesn't require you to install the plugin and lets you open the PDF independently of the browser. I use Foxit reader and will continue using it, without the plugin of course. I hate my browser being able to internally open anything. I minimize using the browser to open files internally at all cost. The only browser plugins I use or would recommend is Adblock plus and NoScript.

I hate opening any file within a browser. I either "Save As" or have my browser configured to do so. Downloaded files are then scanned with AV before opening.

quote:

---

Note that that exploit deals with the Plugin (npFoxitReaderPlugin.dll), so if you don't install the Plugin ...

---

»[Updated] [Free] Foxit PDF Reader 5.4.4

It's the same old war between convenience and security. I, like Lagz and StuartMW , never open apps files within a browser. I first download the file and then scan it sixteen-ways-to-Sunday with multiple AV tools before opening it directly within the appropriate application. I consider that merely an ordinary element of "safe hex".

On the other hand, I personally know many users who want the file to open directly in the browser... for "speed and convenience". Some of them have gotten badly infected that way, others of them seem to perpetually be struggling with various functional problems with their browser when it attempts to open the connections to the appropriate viewer or apps software... and their resolved problems seem to revisit them almost every time their browser version is updated. That seems to me to be a high risk to run and a lot of frustration to wrestle with, all in the name of 'speed and convenience'.

Also spotted:
• »www.h-online.com/securit ··· 636.html

In the engineering world there's the time, cost, quality triangle--pick any two.

Perhaps there's a speed, convenience, security triangle too.

PS: Maybe I should explain that better. The point is that whatever two you pick you lose/give up the third.

In IT it's called the "cheap-fast-perfect" triangle.

In ITSec it's call the "secure-convenient-intrusive" triangle.

Regards

I figured there was an equivalent.

I used to have a big printed copy of the triangle on my cubical wall. I'd point to it when someone in management came to ask about stuff

Does nobody else surf/open PDF's using sandboxie properly configured.
Call it "Proactive layered HEX".