Hacker Finds Multiple PDF Backdoors

Gungadin writes "Eweek.com has a story about a British security researcher figuring out a way to manipulate legitimate features in Adobe PDF files to open backdoors for computer attacks. David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and two sample PDF files to demonstrate how the Adobe Reader program can be rigged to launch Web-based attacks without any user action. He claims there are least seven different ways to backdoor a PDF."

Non Adobe?

[BiggyP]

Ok, i don't have the Adobe reader installed but rather Evince and gPDF, since these lack support for a lot of the additional features of PDF am i any safer?

Evince, etc.

[Noksagt]

I also mostly use evince. Neither test worked. They triggered this message:
"** (evince:18185): WARNING **: Unimplemented action: POPPLER_ACTION_UNKNOWN, please post a bug report with a testcase."

Note that a different implementation only gives you DIFFERENT bugs and holes, as anyone who has followed exploits in xpdf knows.

Re:Evince, etc.

[Anonymous Coward]

Did you file a bug to let them know they didn't support the exploit? This is free software, they should get right on it.

Popplers?!?

[bunions]

Oh lord, we're doomed!

http://en.wikipedia.org/wiki/Omicron_Persei_VIII [wikipedia.org]

Re:

[Anonymous Coward]

FYI, the pdf rendering engine is named after the futurama popplers: http://en.wikipedia.org/wiki/Poppler_(software) [wikipedia.org]

Re:Non Adobe? (Off-topic)

[itsari]

I am using Slashdot's Discussion2 and I accidentally modded you redundant. Just posting this reply to cancel the mod.

I find it very odd that there is no confirmation before a selected mod is applied. I think I'll submit that as a UI bug. Sorry for the inconvenience.

BTW, I meant to mod the parent as Interesting, because he raises a great question: Are these flaws of the PDF format? Or just Adobe's implementation (or extensions)?

Re:

[dextromulous]

Not necessarily.

Some gPDF [securityfocus.com] vulnerabilities.

I didn't find any Evince vulnerabilities in my limited search, but that doesn't mean there will not be one. You will most likely remain safe from 'sploits targeted towards Adobe users by not using the Adobe PDF reader, but that should be obvious.

Windoze and IE implicated, again.

[twitter]

Evince and gPDF, since these lack support for a lot of the additional features of PDF am i any safer?

From the Fine Article:

the target's browser is automatically launched and loads the embedded link. "At this point, it is obvious that any malicious code [can] be launched," Kierznowski said.

That looks like a lot of auto magic nonsense that most free software would not do. The only thing that's obvious to me is that any malicious w32 code is going to bounce off my browser. My pdf reader, kpdf, did not take the first step of automatically launching a browser and my browser would not take any of the dozens of brain dead and spam friendly automatic steps that makes IE a dissaster. A computer that's not internet safe but is connected to a network is always at risk.

Note that it's not a "lack of features" that makes kpdf work right. Kpdf has links that work when you press them, table of content browsing, keyword searches, text and image cut and paste, and prints flawless copy. Those are the features you want in a pdf viewer. Automatically popping up a browser is a feature you don't want.

Re:

[TheoMurpse]

I clicked on the links with Opera in Windows XP, it launched Adobe Acrobat Reader as it should have, and then...nothing. Neither of the exploit demos were successful on my setup (Opera-XP-Acrobat Reader). Does this mean it's an IE-only exploit? (Note: my default browser is Opera as well)

Core PDF freature and not a bug anyway

[Craig Ringer]

The first "vulnerability" is the ability to have clickable web links in a pdf. It's a standard feature of the PDF document language, and all conforming viewers should support it. I'd be surprised if evince doesn't, but most of the other free viewers are too primitive.

In my view this claim is idiotic anyway. I just found a giant security hole in HTML where if they view my page or email with a link and if they click on it, it might take them to a malicious site.

*yawn*

Re:Core PDF feature

[Craig Ringer]

My mistake - that post is not correct. It appears to actually be using JavaScript as supported by Adobe reader to automatically launch a link. Still, in my view, not a big deal (and my Adobe Reader asks for confirmation anway) but somewhat more valid.

More cool KDE display options.

[twitter]

The ability to rotate pages, and a status bar at the bottom saying "Page X of Y",

For version 0.5.1 (might be old by now) of kpdf, the thumbnails in the side pane do page numbering as you want. I'm not sure about the rotation because I have not needed to do that in years, but that would be a useful feature. It's on the wish list [kde.org] and you can fall back to Kghostview if you run into something that really needs rotating. It should show up under View->View Mode of Konqueror as an option when you look at pd

GhostView

[RareButSeriousSideEf]

The nearly featureless PostScript viewer GhostView ( http://www.cs.wisc.edu/~ghost/ [wisc.edu] ) does me fine for most PDF viewing chores. If a document needs more attention than can be read on screen in a few minutes, I'm just going to send it to a printer anyway.

If it's full of "interactive content," then, well, you shouldn't have made it a PDF, since I'm pretty unlikely to jump through hoops to discover what you're trying to say. Use HTML or PowerPoint or what have you if you really need interactivity. My distrust

Re:

[FudRucker]

it probably happens more often then what is reported, websites and their databases get compramized often and users info gets ripped is what you hear about - the method used to gain access is not reported (could be innocent looking PDF files opening the holes...

--firefox-does-not-have-a-spell-checker-extension( yet)

Re:

[account_deleted]

Comment removed based on user account deletion

Heh

[Shawn is an Asshole]

<beavis_and_butthead>
Huh huh, penetration.
</beavis_and_butthead>

Who started giving this title?

Re:Heh

[SanityInAnarchy]

Speaking of buttheads, probably the same person who decided to call it a "backdoor".

It's not a vulnerability, it's an exploit...

[crazyjeremy]

"I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this," Kierznowski said in an e-mail interview with eWEEK.

Isn't that what a vulnerability is? Exploiting a "feature" in a way not originally intended?

Re:It's not a vulnerability, it's an exploit...

[JustNilt]

It seems a fine line but I think many would consider this an exploit. A vulnerability would be a non-feature that can be exploited in some manner. I could be wrong (as far as speaking for others) but this is my take on it. Again, it seems a little like semantics but it's a line that can be defines quite well.

Re:

[suv4x4]

It seems a fine line but I think many would consider this an exploit. A vulnerability would be a non-feature that can be exploited in some manner. I could be wrong (as far as speaking for others) but this is my take on it. Again, it seems a little like semantics but it's a line that can be defines quite well.

I'm looking forward to someone giving a definitive answer to this burning question. I can't sleep until I know if my Adobe Reader has multiple exploits or multiple vulnerabilities.

Re:

[Shimmer]

I think the terms are pretty easy to understand:

      Exploit : Vulnerability :: Key : Lock

So what this guy has done is develop exploits for pre-existing vulnerabilities in PDF. No?

Re:

[Ph33r th3 g(O)at]

s/Key/Pick

Re:

[Shimmer]

Granted.

Re:

[cgenman]

I think he's defining a vulnerability to be a piece of poorly written code, like an input buffer that's vulnerable to an overflow. Or a URL parser that's vulnerable to a carefully formatted string. The code in that case is not behaving as intended.

An exploit would be more along the lines of the old outlook viruses. Outlook used to allow arbitrary scripts to be run on mail loading, and messages to be sent to an entire address book. Combine these two, and you have an exploit. It's behaving completely as

Re:

[Anonymous Coward]

Whether or not a given piece of software is behaving as intended is not really relevant when considering whether or not the software in question has a security hole. For instance, I can write an app that listens on port 24126 and executes the commands received locally. The software is behaving exactly as intended. It also has a huge security hole - it allows anyone to connect to my computer and run basically any code they want. It may not be a bug in the code, but it is still a security hole. Just as in thi

Re:

[cgenman]

From a security point of view, they're the same problem. But from a *fixing* point of view, exploits are a lot more problematic. If the functionality if the application is causing the problem, then by definition fixing the security flaw will entail altering the functionality. Suddenly, your PDF-based form scripts won't work any more. A simple buffer overflow will cause headaches to the developer, but an exploit will cause headaches to the developer and a portion of your most devoted users.

Confused

[ndansmith]

After reading the article I am not sure if this is an Adobe Reader problem or a PDF problem. Every example cites an Adobe product, but the "hacker" said, "I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this." Translation?

Re:Confused

[MarkCollette]

Basically, the PDF standard [adobe.com] allows for a lot of ways to access data on your local machine, in databases, and through your web browser. It also has mechanisms for running JavaScript, and even executing arbitrary local programs. Some of these things require a user to click on a link in a PDF, and some require just openning the PDF or visiting a specific page in the PDF.

Many of these features are quite helpful for corporate clients, but maybe shouldn't be allowed by default.

In retrospect, some of the other free 3rd part PDF viewers, that don't support those fancy features, might be better for people to use:

http://www.icesoft.com/products/icepdf.html [icesoft.com]

Re:

[TubeSteak]

So, just to boil this issue down to the essentials:

Will turning off javascript within Acrobat prevent the exploit?

(I run IE w/javascript enabled, but not Acrobat. Go Figure)

Re:

[Kesch]

Really, it's using pdf supported code to undertake malicious actions. The code may or may not work in other readers depending on wether the specific feature has been implemented, however it is at least known for sure that Adobe Reader has the advanced support in place for the exploitable features.

Re:

[coleopterana]

I'd have to agree with you and suggest that instead the article and commentary title here are slightly mislieading...if that were all a typical user read, s/he'd have the impression that merely opening a PDF file would make the computer vulnerable to exploitation in some fashion. The two methods described in this eWeek article don't appear to be anything of the sort. I think the majority of people now on any platform and likely the vast majority of more highly literate (in a computer sense) users don't al

oops.....

[coleopterana]

(My apologies for the above formatting, I was editing and the cat walked on the laptop, which normally doesn't result in a permanent mistake!)

Re:

[HatchedEggs]

Its not a bug, its a FEATURE!

Dear God.

[O'Laochdha]

How badly do you have to screw up to make it possible to hack through a virtual document?

Re:

[samurphy21]

You mean like email, word documents and such? God.. who knows?

Linux version of acroread seems fine

[Noksagt]

The article has two testcases. The second uses Windows ODBC so, unsurprisingly, fails. The first is supposed to open a web page automatically, but I'm presented with a dialogue asking me if I really want to open it (and the URL is identified in the dialogue). This seems to be good behavior. Did Adobe get things right on Linux & not on Windows? That's got to be a first.

Re:

[JustNilt]

Neither test document worked for me on a Windows XP box all patched up and using Acrobat Reader 7.0.8. What I get is a Security Warning stating the document is trying to connect to the domain. I'm not totally convinced this is an Adobe warning as it looks a lot like IE's warnings and I haven't yet tested exhaustively.

Either way, it's time to start letting clients know that PDFs have been added to the list of "potentially risky" file types.

Re:

[JCCyC]

The article has two testcases. The second uses Windows ODBC so, unsurprisingly, fails. The first is supposed to open a web page automatically, but I'm presented with a dialogue asking me if I really want to open it (and the URL is identified in the dialogue). This seems to be good behavior. Did Adobe get things right on Linux & not on Windows? That's got to be a first.

Same here (RPM version 7.0.1-1), except the dialog box does NOT say what URL is going to be opened. And it refuses to save any browser pr

Re:

[sjwest]

Simple answer hacking microsoft windows is more productive, and validates the issue so it gets reported here.

Re:

[Kesch]

Looking at some of the comments in his blog, the presence or absence of a warning box is kind of random. However, it might be linked to wether you open the pdf from your browser(no warning) or from your machine.

I got an interesting result on mine (under Linux) in that it asked me if I wanted to config my browser settings. I answered 'yes' and was then directed to a config page where I could input which browser command I wanted to use to launch my browser. It looks like this could easily be set to an interme

Firefox on Windows XP is sane

[Vreejack]

Both test cases give me a confirmation dialog offering to add the target site to a trusted list.

Curiously, both XP and Firefox updated over the last two days.

pr0n

[User 956]

He claims there are least seven different ways to backdoor a PDF.

I've seen quite a bit of pr0n. There's way more than seven ways.

clarification

[User 956]

that's assuming that by "PDF", he means "Pretty Drunk Female"....

Re:

[Dacmot]

I sure would love to have his job:

David Kierznowski, a penetration testing expert

Sources claim...

[Mikachu]

Sources claim the exploits would have been found sooner if any other hackers had the patience to wait for PDFs to load.

Load PDFs with Acrobat in seconds

[dw604]

Load PDFs with Acrobat in seconds [dwtips.com]

Re:

[Carthag]

Or you could just you know use a third party reader...

Load PDFs in milliseconds

[this great guy]

Even faster ! [informationweek.com]

Re:

[BrynM]

Load PDFs with Acrobat in seconds

Oddly enough, that also fixed both of these "exploits" for me. Now I get "The plug-in required by this 'URI' action is not available. Blah blah blah". Thanks for the link.

Re:

[MoogMan]

Or, a much better idea - scrap Acrobat, use a better PDF reader and load a PDF in second [foxitsoftware.com].

I can't believe that a company like Adobe can make such bilge like Acrobat Reader. Foxit looks literally the same, but done right!

Yippee Skippee

[Mozleron]

Just when i thought i didn't like PDFs, up comes this neat little "Feature" to try and make me like them all the more...

Wait, this isn't a good thing, is it... And i'm willing to bet Adobe is not really all that happy about it either...

Maybe this will prod them into getting back to their roots of a simpler system that did not take 30+ seconds to start up and did not bring a browser to its knees when it decided to act up... Or maybe i could just be dreaming.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[agent dero]

The vulnerabilities aren't in the format per se, but more in Adobe's implementation of their Acrobat products.

Apple, along with Preview, has its own implementation of rendering and viewing PDFs

Re:

[Strolls]

As a concerned Mac user ... I was wondering if these could possibly create vulnerabilities ... for mac users.

Well, if you tried downloading the sample PDF [michaeldaw.org] in 10.4 you'd see that opening it in Preview shows an apparently-live webpage. So it would seem fairly safe to say the answer may be "yes".

Stroller.

Re:

[Rivendell]

Opening the first PDF with Preview does not cause Safari to launch, and appears to show a static Google web page. No outbound traffic was observed when opening the PDF in Preview. Opening the PDF using Acrobat 5.0, 6.0 , and 7.0 appears to cause Safari to launch and open "http://www.google.com/owned.html". It looks like Preview is not vulnerable to this particular attack, while at least some Adobe Acrobat readers for OSX are vulnerable.

Re:

[Strolls]

Ah, ok. Please excuse me - you have my apologies. Having not tried this under the Adobe applications I assumed the point was to load the Google webpage, and because clicking on links within that open Safari I assumed the page be dynamic. I also wanted to reply to a Mac user smug about security.

Re:

[tm2b]

I also wanted to reply to a Mac user smug about security.

...and, despite the fact that the OP wasn't smug (in fact, was worried), underscored that some smugness may be warranted.

Good job, bigot boy!

Re:

[Petrushka]

Fear not: the title (replicated from TFA) is glaringly inaccurate in an attempt to sensationalise and induce general panic.

As even the blurb above states quite clearly, these are not vulnerabilities in PDF, a file format, they're vulnerabilities in Adobe Reader, an application (and one which most OS X users have no need for, thanks to Preview).

In fact, TFA seems to indicate moreover that the attacks are specific to Windows.

Nothing to see here .... unless you use Adobe Reader in Windows.

Re:

[laffer1]

Actually I have it installed on my Mac. There are a few features Preview does not support.

Penetration

[SauroNlord]

David Kierznowski, a penetration testing expert I wish I was a penetration test expert!

Re:

[Xemu]

If "crash tests" requires "crash test dummies" then I guess we know what the rubber dolls are used for in penetration testing.

Of course

[Anonymous Coward]

As if postscript is not dangerous enough, Adobes PDF attack vector executes javascript. When you're done disabling javascript in the Adobe PDF reader, you should disable it in your browser.

Has everyone downloaded the new version of firefox because 5 out of 7 of the vulns it fixes are javascript related. Why do we have to keep going through this, are people in denial or something? We all know what the problem is. There's only one security advisory I'd like to see for javascript problems, the mother of all ad

Javascript

[sowth]

Well the first order of business would be to hunt down an kill all the "web developers" who insist on using javascript for essential parts of their site. If it wasn't for them, I could just use dillo like I want to and not worry about javascript crap...

Re:

[pclminion]

PDF does not contain PostScript. The outward appearance of PDF's high-level data types (like dictionaries), and the PDF graphics language were inspired by PostScript, but it is NOT a stack based language. You can't, for instance, write a PDF which computes Mandelbrot's fractal and displays it (as you could with a PostScript program).

Get the facts straight. Just because a PDF looks "kinda like" a PostScript file in a binary editor doesn't mean it's PostScript.

Re:

[pclminion]

I know I'm replying to this late (I was away for a week). And my God, does Slashdot really have a million users now? Anyway...

The cool thing about PDF is that PDF documents can be cryptographically signed. It would be easy to implement (if not implemented already) a system where JavaScript functionality is only enabled for documents signed by a trusted key. Then, the government (or some other trusted entity) could take advantage of JavaScript in PDF and other untrusted documents could be treated with a hi

Easy

[OpenSourced]

Use FoxitReader (http://www.foxitsoftware.com), much lighter and faster than Adobe Reader, and probably with its own set of vulnerabilities, but unlikely to be much targeted.

Free

[mrchaotica]

Better yet, use Ghostscript [wisc.edu]. It's also much lighter and faster than Acrobat Reader, and -- more importantly, and unlike Foxit Reader -- is Free Software.

Re:

[gatzke]

Yes, but the default version has an annoying splash screen registration screen to click through every time you open gv or gsview.

As a result, I stopped using their reader. Free and Annoying.

Re:

[duguk]

> Yes, but the default version has an annoying splash screen registration screen to click through every time you open gv or gsview.

Nope, it doesn't have an annoying splash screen, but does have a small unobtrusive advert in the top right - which doesnt need internet access, only advertises FoxIts own products AND can be turned off through the menus.

> As a result, I stopped using their reader. Free and Annoying.

Definately free, but easy to use for idiots. At least it doesn't crash Firefox :)

Dug

Re:

[Ctrl-Z]

I believe the comment was that ghostscript is free and annoying, not foxit.

Re:

[mrchaotica]

So, in that case, what GPL PDF viewer should Windows users use?

"Hacker"?!

[coyote-san]

Since when is a respected security researcher a "HACKER"?!

Seriously. I know the old definition of "hacker" and have been proud to be called one (in that sense) in the past, but the headline clearly refers to the malicious definition of hacker. This headline seems to serve no purpose other than deliberately blurring the line between legitimate researchers and the jerks who exploit weaknesses.

Re:

[Ilgaz]

Normally I would say "Oh another hacker, not hacker fight" but your post makes perfect sense since just 2 stories below, posted by Zonk again, says:

"IT: How Hackers Identify Their Targets
Posted by Zonk on 0:07 16th September, 2006
from the drawing-a-bead dept.

narramissic writes "In a recent article, security guru Brent Huston writes about research he did to get inside the minds of spammers and expose some of the processes they use to identify potential targets. "

The "hacker" term used there is in spammer/zom

must....quote....Wargames...

[not a cylon]

Malvin: I can't believe it, Jim. That girl's standing over there listening and you're telling him about our back doors?
Jim Sting: [yelling] Mister Potato Head! Mister Potato Head! Back doors are not secrets!
Malvin: Yeah, but Jim, you're giving away all our best tricks!
Jim Sting: They're not tricks.

Only on the Windows version

[Anonymous Coward]

The Mac version of Acrobat reader is actually not affected by these vulnerabilities; they only occur on the Windows platform.

Easy Fix: Disable those plugins!

[imaginaryelf]

Create a parallel directory to installdir/adobe/acrobat 7.0/acrobat/plug-ins/ directory, call it plug-not, and move all non essential plug-ins into that directory.

I just want a reader, not a full fledged pseudo-browser app with tons of security exploits - there's already one called Internet Explorer on my PC!

So I've moved away: Accessibility, Acroform, ADBC, EScript, Multimedia, weblink, webpdf, etc.

Now when you open those "exploit" links, you get an pop-up saying, "The plug-in required by this 'URI' action

Re:

[Lehk228]

try out foxit, it's, by far faster than acrobat reader and aside from any technical security improvements, it has the benefit of being a tiny target compared to acrobat

yes even much faster than the stripped down version of acrobat reader

Back Door Demo #2 - Link Wrong

[md17]

In the article the second "back door demo (PDF)" link just points to the same PDF as the first link. The correct link is:
http://michaeldaw.org/projects/backdoored2.pdf [michaeldaw.org]

Malicious links are a PDF problem?

[Anonymous Coward]

The first back door (PDF), which eWEEK confirmed on a fully patched version of Adobe Reader, involves adding a malicious link to a PDF file. Once the document is opened, the target's browser is automatically launched and loads the embedded link.

Just about anything can automatically open a link. If there is something malicious on the page it is loading, that's a browser problem.

Re:

[Ilgaz]

It launches INSIDE the plugin, plugin renders the web browser and it looks very functional, that "first" link, it loads google.co.uk fine.

More interestingly, as many of Mac users got sick of Adobe or Apple PDF plugins, I use Schubert IT browser plugin (free for non commercial use) inside Omniweb 5.5

Now, this is Mac and OS X... No known "go to page and get spyware if your system not updated" stuff around.

This is big deal for Windows.

Re:

[Ilgaz]

Oops, Schubert IT plugin (http://schubert-it.com/) is NOT effected by first link, it loads web page , doesn't open another link.

Apologies, I misunderstood the problem.

Again, launching a URL on Windows could be disaster.

Doesn't work on Linux

[md17]

I've tried both exploits on Linux (acroread & Gnome Document Viewer). Neither work. The first asks if I want to connect to the web site and I have to explicitly click "Allow" (in acroread). The second of-course doesn't work because I don't have any ODBC junk on my Linux box. But that doesn't mean that it can't talk to other unsecured ports on my computer. That would be interesting to find out.

Re:Doesn't work on Linux

[flyingfsck]

Hmm, Linux just isn't ready for the desktop yet.

da ladies...

[ScottyMcScott]

future mother-in-law: so, what do you do?
guy: i'm a penetration tester.
....fill in rest.....

Acrobat Reader is awful

[oohshiny]

Apart from its (known) security problems, Acrobat Reader has a number of other problems, foremost that it's slow and that it fails to comply with Gnome, KDE, and Macintosh desktop UI standards.

There are more usable, faster, and safer alternatives.

Re:

[vtcodger]

***Acrobat Reader has a number of other problems, foremost that it's slow and that it fails to comply with Gnome, KDE, and Macintosh desktop UI standards.***

There are Gnome and KDE UI standards? Who knew?

OK, OK, that's snarky. But when you port a program from one OS to another -- Windows to Linux in this case -- there are going to be UI problems. Most Mac programs are human factors disasters when ported to Windows. And heck yes, that includes Excel. Personally, I've always found Excel to be major a

Alternatives already exist

[KillerBob]

Even for Windows. I tested the proof of concept PDFs in FoxIt PDF reader (http://foxitsoftware.com/), and none of them worked. The flaws aren't in the PDF format itself, they're in Adobe's implementation of it.

Only 7?

[makillik]

"He claims there are least seven different ways to backdoor a PDF."

But remember there must be 50 ways to leave your lover

PDF version

[mclaincausey]

Get your PDF version of the story here [slashdot.org]

Read PDFs with gsview

[Animats]

Most PDFs can be viewed with gsview [wisc.edu], the old Postscript previewer. It doesn't have all that crap Adobe put in like WebBuy, but nobody uses that anyway. Gsview will display PDFs that older versions of Adobe Reader won't.

OK How do I protect my machine?

[140Mandak262Jamuna]

I clicked on the link. I am using Firefox. It warned me that my pdf reader is old, (6.0) opened what appeared to be a pdf version of google home page then redirected to google.com/owned.html which did not exist. Does it mean that my machine is vulnerable?

The second test too failed the same way.

But in the tabs where I expected pdf docs now there is a 404 Not Found error. What does it prove?

What should I do to remove these fancy features from pdf readers?

Re:

[140Mandak262Jamuna]

OK. Since I am vulnerable, I tried to remove pdf plug-in from Firefox. Somehow the "Remvoe Action" button was greyed out. So I changed it to just save the file for the present. I am very careful with attachments. I just did not want to accidentally visit a malformed pdf that is all. Enough for present? May be I should dig a little more and see if open source implementation of bare bones pdf readers are available for windows.

Turing complete

[G3ckoG33k]

IIRC, at least PostScript has been demonstrated as a Turing complete language (someone wrote a printer's driver in it, as reported on Slashdot many years ago, IIRC). And, given PDF's background, why shouldn't it be that too? Please, someone with more knowledge, please enlighten me if I'm on the wrong track! And, if it is, would that matter to this context, finding (or writing) 'backdoors'?

I can understand the media using "hacker"...

[afabbro]

...but why can't Slashdot, of all places, use "cracker"?

Re:

[elrous0]

Because no one uses the word "cracker" for malicious hackers, outside of a few anal-retentive hold-outs. Sorry, but common usage has left this debate behind long ago. You can either deal with it or end up like that annoying old fart at the nursing home ranting about how "gay" means happy, dammit!

-Eric

Search feature information leak

[pe1chl]

When the user types in the search box in recent versions of Acrobat reader, while viewing a .pdf retrieved from the web, the reader performs a GET on the search keywords appended to the original location of the document (enclosed in double quotes).
So, as a website owner you get the search terms used on your documents as 404 errors in the logfile.
(I have not yet tried to answer those queries with a 200 response, who knows what happens then...)

Re:

[Anonymous Coward]

Respectfully disagree.

PDF is incredibly useful...to people other than yourself. The bloat that annoys you so much guarantees layout and color fidelity to people who care about those things. Do you find PostScript printers bloated and wasteful?

Re:

[Anonymous Coward]

HTML and similar document formats do not retain character sets, pagination, and other presentation-related pieces of data. Create a webpage, and view it in different browsers on different OSes with different font sets. The page is not guaranteed to look the same, and most likely will render different on each different browser. PDF, on the other hand, will render the same with every PDF reader.

PDF is designed to be a read-only document presentation format. Sort of a globally understood "print to file" format

Re:

[ultranova]

Don't confuse Adobe's somewhat bloated PDF reader's sluggish speed with the format being "slow." Try any of the third-party document readers (xpdf, etc). They are blazingly fast.

30 seconds to show the next page in a 1GHz machine with xpdf.

PDF does something to bitmap images that makes large ones unbelievably slow to display. I don't know what, but it's definitely a very slow format in that respect.

Re:Does anyone else think this is good news?

[alain94040]

Sorry, I got to disagree with this. If you are looking for print quality (as in book), PDF is way ahead of any standard HTML I have ever seen.

Yes, AcroRead takes longer and longer to load, defeating the purpose of being this ubiquitous reader Adobe is pitching. Yes it's not open.

But still, it's the saftest way I have found so far to send someone a document so I could be sure that when they open it, it looks exactly like I intended it to look. That to me is key: I care about the looks of what I do.

Alain.