[SOLVED] How to safely read PDF

catnap · 2019-04-16 09:09:52

I've learned that PDF files, that seem to consist quite innocuously of static content, may come packed with dynamic parts that are able to execute scripts and browse the file system. See e.g. https://security.stackexchange.com/ques … in-a-virus. Is there a way to counteract the problem by opening the file in a compartmentalized safe mode or in some other way? What is the safest PDF reader for Arch Linux?

Last edited by catnap (2019-04-22 19:41:01)

schard · 2019-04-16 09:39:40

That feels like asking:
I've learned that under Windows *.exe files may contain malware. How can I safely run *.exe files under Windows.
So the general answer would be: Don't open PDF files containing malware.
If you've found any actual vulnerability you may want to report it to the respective bug tracker (i.e. poppler's).

catnap wrote:

What is the safest PDF reader for Arch Linux?

This question is leading you nowhere. One may only truly answer that question after a thorough security review of all available PDF viewers.

Skunky · 2019-04-16 09:51:25

If you don't trust a PDF i suggest you open it in a VM

Trilby · 2019-04-16 12:28:35

Use a pdf reader that doesn't support any of those features that you are concerned about. The extreme example would be poppler's pdf2text. It ignores everything that isn't text.

PDFs only contain instructions - it's your reader that decides which flavors of instructions will be read/followed. Most simple pdf readers only use the text and graphic instructions to render images of pages. It actually is rather involved to write a pdf reader that can run any of that dynamic content. So just use a simple reader - e.g., mupdf.

catnap · 2019-04-16 17:37:57

Trilby wrote:

Most simple pdf readers only use the text and graphic instructions to render images of pages.

This is probably true in the sense relevant to the discussion. It could really be that the usual PDF viewers in Arch Linux do not support the type of dynamic content that would compromise security. Casual browsing revealed that Evince could be even more secure than MuPDF. MuPDF has some level of JavaScript support [1] while Evince does not [2]. Okular has JavaScript support [3].

[1] https://en.wikipedia.org/wiki/MuPDF
[2] https://wiki.gnome.org/Apps/Evince/Roadmap#Unresourced
[3] https://okular.kde.org/news.php

mpan · 2019-04-16 20:43:18

As always, the standard notice: security is a spectrum, not a binary option. There is no “secure” and “unsecure”: there is only “more secure” and “less secure”. And that doesn’t scale well: becomes prohibitively expensive and cumbersome as you travel into the “more secure” direction. Set your threat model first, determine your budget, decide how much effort you are going to put into it.

You do not need to have support for any particular feature of any format to be vulnerable. Basic plaintext file editors are known to have ACEs, as well as image processing programs even while opening BMP. If the format offers programming features, it makes the attack much easier — but is not, by itself, enabling it. The attacker still needs to break out of the execution environment. Don’t fall into thinking, that disabling scripting improves security by extreme amount. It helps a lot, but don’t overestimate both the risk and the gains from avoiding it.

All PDF viewers support custom typefaces and, because of hinting, all typefaces can contain executable programs. The environment is limited, but is enough to be used as an aid in an attack. This is one of the reasons NoScript disables them on websites. Therefore any PDF reader and most PDF conversion tools are theoretically vulnerable. Period.

If you want to be very secure: pdftocairo from poppler with nspawn¹, and then view the pages or combine them back into a clean PDF. Depending on how much you value the security: you may go as far as using a VM, a cloud server just for that task, or an air-gapped computer. Of course neither gives you “100% security” and the deeper you go, the more pain you get.

There are various ways to detect JavaScript in PDF, which may be of interest to you: see the response from Kurt Pfeifle.

If you are not expecting spear attacks, you may consider using your web browser for viewing PDFs, with a separate profile. As it happens, those are the most hardened JavaScript environments available, since one of their main tasks is containing JavaScript. They are also the most attacked ones, but typical attacks will be against large populations — it is unlikely to see a 0-day campagain against Arch Linux users. And such bugs are fixed quickly.

Don’t consider the above comments simply dismissive. I fully resonate with the idea of not running scripts in PDFs. Yet my reasons are different and the answer is from the perspective of security and security alone.
____
¹ nspawn is not a security feature, but is good enough for that purpose.

Last edited by mpan (2019-04-16 20:51:15)

catnap · 2019-04-16 21:25:00

mpan wrote:

Therefore any PDF reader and most PDF conversion tools are theoretically vulnerable.

Thank you for the detailed and insightful account on the issue. It really seems that, even in the digital world of information technology, an issue like security is not to be thought in binary.

mpan · 2019-04-19 02:15:28

catnap: [SOLVED], not [CLOSED]

starfear · 2019-04-22 10:23:14

Maybe you should use somethin' like firefox pdf reader?

catnap · 2019-04-22 19:42:14

mpan wrote:

catnap: [SOLVED], not [CLOSED]

OK. One must have an eye for nuance.

Arch Linux

#1 2019-04-16 09:09:52

[SOLVED] How to safely read PDF

#2 2019-04-16 09:39:40

Re: [SOLVED] How to safely read PDF

#3 2019-04-16 09:51:25

Re: [SOLVED] How to safely read PDF

#4 2019-04-16 12:28:35

Re: [SOLVED] How to safely read PDF

#5 2019-04-16 17:37:57

Re: [SOLVED] How to safely read PDF

#6 2019-04-16 20:43:18

Re: [SOLVED] How to safely read PDF

#7 2019-04-16 21:25:00

Re: [SOLVED] How to safely read PDF

#8 2019-04-19 02:15:28

Re: [SOLVED] How to safely read PDF

#9 2019-04-22 10:23:14

Re: [SOLVED] How to safely read PDF

#10 2019-04-22 19:42:14

Re: [SOLVED] How to safely read PDF

Board footer