#Adobe pdf viewer for firefox pdf
Probably preventable by using a restrictive content origin policy. 3rd party objects being loaded into the page, which can then exploit a separate Java / Flash / HTML5 / etc.If there are exploits, I see them coming from the following areas: Any real exploitable bugs are likely to be reliant on a secondary bug that could be exploited through other means anyway. This removes a huge portion of the attack surface, and allows them to entirely focus on the security of the document translation engine. The new Firefox PDF engine simply takes the structure of the PDF and translates it into a DOM structure, which can be rendered by the browser's standard HTML renderer and interacted with via JavaScript. If you look at some of the recent 0-day stuff for Adobe Reader, you'll see that most of it relies on bugs in the rendering engine and some of the more exotic areas of content handling.
Adobe got wise early to the fact that malformed structure and content would screw them, and put a lot of effort into making sure that their parsing engine was rock solid. Historically, most PDF exploits have come from the rendering engine rather than the parsing side.
I actually think the Mozilla devs have been pretty smart with this.
0 kommentar(er)
