David Brown <david.brown@removethis.hesbynett.no> wrote:
> pdf's are perfectly safe as long as you use a safe pdf reader, and as
> long as you disable javascript on the reader. Basically, avoid Acrobat
> Reader. Any Linux reader (such as evince) is safe, as are all other
> Windows readers that I know of. Something like Foxit reader is free,
> safe, and /much/ faster than Acrobat.
Other readers have had their share of vulnerabilities as well (eg. both
Foxit and Adobe Reader used to silently run executables embedded in PDF
files, no JavaScript or exploits needed. CVE-2010-1240). PDFs have also
been used as attack vectors, for instance one iPhone jailbreak was
accomplished by exploiting a FreeType2 bug via a font embedded in a PDF.
Adobe Reader has by far the worst track record, but claiming you're safe
just by switching to another reader is disingenuous.
-a