Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Firefox getting built-in HTML5-based PDF viewer to improve security

Lucian Constantin | Jan. 14, 2013
A built-in PDF viewer component based on JavaScript and HTML5 Web technologies has been added to the beta version of Firefox 19, Mozilla said Friday.

Tanase pointed out that vulnerabilities in the browser's JavaScript rendering engine are not uncommon. As an example, he pointed to CVE-2013-0750, a remote code execution vulnerability fixed in Firefox 18 a few days ago. The vulnerability stems from a bug in the way the browser calculates the length for a JavaScript string concatenation.

This vulnerability is not the exception, but rather the rule, Tanase said. "Similar ones are discovered every year, in mostly every product version and they can all be used by attackers to run code and install software, requiring no user interaction beyond normal browsing."

This PDF viewer component could be more secure than third-party plug-ins if it is written entirely in JavaScript/HTML5, Thomas Kristensen, the chief security officer at vulnerability intelligence vendor Secunia, said via email.

However, this doesn't mean that it's not prone to vulnerabilities, he said. "If new functionality has been added to the browser or the PDF reader otherwise becomes privileged in the browser, then it may be vulnerable and become a new vector to exploit these vulnerabilities in the browser."

"From a technical standpoint I find it very interesting that they are creating a PDF viewer that utilizes the existing capabilities of the browser," Carsten Eiram, the chief research officer at security consultancy firm Risk Based Security, said via email. "Since browsers are now so advanced with HTML5 and JavaScript support that they can actually parse PDF files, it could make having a separate PDF viewer pointless for most users, who just need basic PDF viewing capabilities."

In general, the less code there is on a system, the less exposed it is to potential attacks, Eiram said. Using this built-in PDF viewer component instead of installing a separate a PDF reader application that often includes features many users don't really need and which can be vulnerable, reduces the system's overall attack surface, he said.

Tanase also agrees with this theory. "There's a clear benefit for using the same rendering engine for both Web pages and PDFs which needs to be pointed out: the code base is smaller, therefore the attack surface and potential risk is lowered," he said.

Eiram believes that it will come down to how solid the JavaScript and HTML5 implementations are in the browser. "I would expect any vulnerabilities in these implementations to affect the PDF viewer too," he said.

Fortunately, if such vulnerabilities are found, the job of fixing them falls to the browser vendor. Browser makers, especially Mozilla and Google, have a very good track record of managing vulnerabilities and historically have had better updating mechanisms than third-party plug-in vendors, Tanase said.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.