LWN: Comments on "A Firefox PDF plugin XSS vulnerability"

A Firefox PDF plugin XSS vulnerability

endecotp — Thu, 11 Jan 2007 17:29:53 +0000

In your examples, the line art is anti-aliased in Acroread but not in Evince, and I think that the fonts are hinted in Acroread but not in Evince. These examples are consistent with what I've seen: you need to zoom in one or two more steps with xpdf to see the same amount of detail that you'd see in the Adobe product.

The anti-aliasing issue should be fixable - plenty of OSS graphics libraries can already do this. Getting the font rendering right is also possible - for example FreeType2 can do hinting - but it is patent-encumbered.

A Firefox PDF plugin XSS vulnerability

droundy — Wed, 10 Jan 2007 03:02:09 +0000

Are you aware that you can configure kpdf to show nothing but the document? It's hard to beat that, in terms of screen real estate. This is what switched me from gv over to kpdf (that and kpdf is the first pdf viewer to obtain a decent "watch file" capability).

server-side solutions

roelofs — Tue, 09 Jan 2007 17:19:14 +0000

Web browsers don't seem to pay any attention to a "Content-disposition: attachment" header line. The only reliable way we found to stop downloads from displaying in the browser was to add an ONCLICK attribute to the link, something like this:

But the whole point (as I understand it) is that you don't control the link--the bad guy does (e.g., a phishing site or somebody else's cracked site). And his link certainly won't include that onclick/save-to-disk function.

(Of course, you were probably referring to historical attempts to prevent inline display, not something in response to this latest threat, which is a useful data point either way.)

Greg

A Firefox PDF plugin XSS vulnerability

hein.zelle — Tue, 09 Jan 2007 14:50:28 +0000

Would it be worth considering a workaround in the browser (firefox in this case) instead of the plugin? It's not firefox's fault, but at least the firefox source code is available so something could potentially be done about it. Firefox also has an update system which might work better than relying on users upgrading their acroread plugin.

server-side solutions

ldo — Tue, 09 Jan 2007 07:51:53 +0000

<SCRIPT>
function PleaseSaveToDisk()
{
alert("Please right-click and save the item to disk.")
return false
}
</SCRIPT>
<A HREF="link-to-whatever" ONCLICK="return PleaseSaveToDisk()">

server-side solutions

roelofs — Mon, 08 Jan 2007 23:43:41 +0000

Other server-side solutions are being discussed as there is a concern that users are unlikely to upgrade their browser plugins.

Another one I saw (beyond the linked token_query suggestion) is to have the server mark PDFs as attachments, which forces them to be downloaded. It's not as convenient for users, but it completely bypasses the broken plugin.

Greg

A Firefox PDF plugin XSS vulnerability

roelofs — Mon, 08 Jan 2007 23:35:42 +0000

Well, here's a comparison of Evince 0.6.1 versus Adobe Reader 7. I think you can see the difference in the quality of the line art.

Very nice, thanks. That matches my own gut impressions: Adobe uses some very nice scaling and interpolation algorithms in its PDF viewers, not only on fonts but also on vector lines (as here) and on embedded bitmaps like scanned US patents. And they're reasonably fast at it, too. I can't tell if it's full multitap resampling, but...nice (to quote Borat).

I have no doubts free software will catch up before very long, though I am a little surprised we're not there already. (Different priorities, I guess. :-) )

Greg

A Firefox PDF plugin XSS vulnerability

Los__D — Sat, 06 Jan 2007 05:51:06 +0000

I'm afraid that I'll have to wait until the 9th to check them out, I'm in Beijing right now, visiting my wife's parents, and since an earthquake took out the Chinese main Internet line, I'm browsing pages at around 2kB/s (On &*^$%@$#*&* IE/Windows)... After 5 minutes, I could more or less only see the top bar, and a little of the windowbar on one of the pictures, still nothing on the other...

But about lineart; I did a few comparisons myself a couple of months back, on an e-ticket, there was a little logo, which at 100% looked a bit nicer in acroread, but when you zoomed in, it actually looked nicer in Evince than in acroread... Maybe they just have differing rendering settings at different zoom levels, or something.

Dennis

A Firefox PDF plugin XSS vulnerability

jwb — Fri, 05 Jan 2007 18:15:26 +0000

Well, here's a comparison of Evince 0.6.1 versus Adobe Reader 7. I think you can see the difference in the quality of the line art.

http://tastic.brillig.org/~jwb/evince-vs-adobe.png
http://tastic.brillig.org/~jwb/evince-vs-adobe2.png

A Firefox PDF plugin XSS vulnerability

amarjan — Fri, 05 Jan 2007 18:04:46 +0000

As mentioned on the WEB SECURITY mailing list, services like tinyurl.com can be used to hide malicious URLs, so user education in this case would be even less effective than usual.

A Firefox PDF plugin XSS vulnerability

k8to — Fri, 05 Jan 2007 16:01:50 +0000

No, there is basically no advantage to the browser plugin. It used to be that the browswer plugin was more networked than acroread, for things like hyperlinks outbound from the pdf back to the web. But acroread has sprouted sufficient tentacles to fill in such gaps.

The plugin has become a clunkier, crashier acroread that takes out your browser with it.

A Firefox PDF plugin XSS vulnerability

jschrod — Fri, 05 Jan 2007 14:03:59 +0000

Acroread has the ability to add comments, e.g., during review cycles. (One needs to have Acrobat for creation of such PDF documents, though.)

I have documents that I can only print in acroread; [xk]pdf just happen to do nothing, without any error message.

For some documents, acroread is much faster when one changes pages. One pays with the very long startup time, though.

Selecting texts (copy & paste) works better (that means: UI is more intuitive, action is more often successful) in acroread.

OTOH, I use xpdf a lot more than acroread due to its fast startup time. I use it also more often than kpdf since its desktop real estate need is smaller. I would never use any of these tools as browser plugin, though -- I want to have such documents in their own top-level windows.

Joachim

A Firefox PDF plugin XSS vulnerability

wookey — Fri, 05 Jan 2007 12:14:29 +0000

I have not used acroread since about 2002 and in the last year or so I have found that just about all PDFs finally render fine under either evince or xpdf (it used to be necessary to try 2 or 3 free viewers and still some docs gave problems). But there are still things that acrobat does better than the free browsers (I have found two bugs in fairly obscure area grouping opacity (or something like that) and clipping in the last two weeks due to some intensive use of therion, which aparently do not occur in acrobat). And there is the form-filling thing, which I have never missed, but some people might.

I posit that most users would find the free PDF viewers entirely adequate these days, and certainly if Adobe's has this serious flaw then stopping using it is the obvious thing to do. Hopefully some people who haven't used the free viewers for years will try them again as a result of this and be pleasantly surprised at how well they work now.

A Firefox PDF plugin XSS vulnerability

Los__D — Fri, 05 Jan 2007 08:35:50 +0000

Strange, I use quite a bit of electronic datasheets, and all of them them has looked perfect in Evince so far. (And yes, I have done comparisons to be sure, as I also have had less than acceptable results in the past).

This includes quite a bit of datasheets from Atmel, Micrel, Microchip (damn I hate PICs), Epson, TI, National, and way too many from suppliers that still think that photographs put into PDF's are perfectly acceptable.

Can't this be fixed in Firefox?

spitzak — Thu, 04 Jan 2007 23:02:15 +0000

Can't this be fixed by changing whatever code the Adobe plugin calls to retrieve the url? It probably should just get the data and not execute anything. It would seem this may be a good idea in general as it would fix any broken plugin that intends simply to get some info from the net and did not intend to change the state of the browser.

A Firefox PDF plugin XSS vulnerability

glettieri — Thu, 04 Jan 2007 20:26:14 +0000

If you type "about:plugins" as url, you will get a list of installed plugins. To remove acroread, you should find the directory where firefox plugins are installed (/usr/lib/nsbrowser/plugins on my Gentoo box, but maybe /usr/lib/mozilla-firefox/plugins on other systems) and remove the file or symlink "nppdf.so".

A Firefox PDF plugin XSS vulnerability

jwb — Thu, 04 Jan 2007 19:00:07 +0000

The quality of the rendering in Adobe Reader is far higher than any of the free clones. I spend a good chunk of my time reading data sheets for electronic components and they are pretty well unreadable in Evince/XPDF/KPDF. In Adobe Reader they look tremendous.

That said, I never use the browser plugin.

A Firefox PDF plugin XSS vulnerability

emgrasso — Thu, 04 Jan 2007 18:59:04 +0000

Two questions (Well, two and a half):

Does this vulnerability also affect browsers like Konqueror that can load
Firefox plugins?

Is there a clean way to uninstall the Adobe plugin if it is present? And a
good way to find out whether it is present and active?

A Firefox PDF plugin XSS vulnerability

kamil — Thu, 04 Jan 2007 18:51:35 +0000

Some PDF documents allow you to fill in some information before printing them out. Many application forms in PDF act that way. Can you fill in PDF documents using k/x/gpdf? You can with acroread.

Also, it's been my experience that acroread is in general more reliable in displaying PDF documents properly: no weird formatting problems and such. But I haven't tried recent versions of k/x/gpdf, so they could very well be better in this regard these days.

Having said that, I never enable the Adobe PDF browser plugin. It always seemed counterintuitive to me to have PDF documents displayed in a web browser. Last I checked, it also caused problems when switching the PDF viewer to fullscreen and back.

A Firefox PDF plugin XSS vulnerability

pr1268 — Thu, 04 Jan 2007 17:22:59 +0000

Just out of curiosity, is there any motivation for GNU/Linux users to even use Adobe's PDF reader/plugin? I'm quite happy with my choice of KPDF, XPDF, and GPDF. I choose to view PDF files downloaded from the Internet in the separate viewer application, and I configure Firefox's MIME handler to open the appropriate application.

Is there something I'm missing by avoiding Adobe's PDF viewer?