Q

Is Firefox PDF reader a secure alternative to Adobe Reader?

Expert Michael Cobb examines Mozilla’s Firefox PDF reader and discusses whether it is more secure than Adobe Reader.

Mozilla included a built-in PDF reader as a default feature in Firefox 19. How does it work, and is it safer than...

other PDF readers like Adobe Reader or Foxit?

Ask the Expert!

SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)

Mozilla's PDF reader has been part of Firefox for several versions, but it had to be manually enabled prior to version 19. The Firefox PDF reader was switched on by default for the first time in the Firefox 18 beta and fully integrated as the default PDF reader in version 19. As a result, Windows, Mac and Linux users no longer need to rely on plugins to view PDFs. The PDF reader loads and renders PDFs directly in the browser by using PDF.js, a JavaScript library that converts PDF files into HTML5 using standard HTML5 APIs.

Mozilla introduced a built-in PDF reader, in part, to reduce the need for plugins with proprietary source code that, according to Mozilla, "could potentially expose users to security vulnerabilities." Another initiative to tackle plugin security issues is its Click-to-Play feature. By default Click-to-Play restricts all browser plugins, except the latest version of Flash, from loading until a user gives it permission.

Adobe Reader has been widely exploited over the last few years. Most PDF exploits, including recent zero-day exploits, have taken advantage of vulnerabilities in Adobe Reader's rendering engine rather than its parsing engine. (Adobe probably realized some time ago that malformed structures and content would cause problems so concentrated on hardening the parsing engine.) Mozilla's approach is to take the structure of the PDF and translate it into a DOM structure, which can then be rendered by the browser's standard HTML renderer and interacted with via JavaScript. This removes a large portion of the attack surface, leaving only the security of the document translation engine as an attack vector. If a PDF files contains an exploit for Adobe Reader, opening the file using pdf.js will prevent the exploit from working.

Any real exploitable flaws in Mozilla's viewer are likely to be reliant on a secondary one that could be exploited through other means, such as a bug in the HTML5 renderer or JavaScript interpreter. To obtain an arbitrary code execution exploit out of JavaScript, you have to find a hole in the JavaScript engine itself, as errors in scripts written in JavaScript lead only to an exception.

Mozilla's reader is certainly faster than a plugin reader, as the user doesn't have to download the content to read it in Foxit or Adobe Reader, or fire up a plugin. It also means less reliance on Adobe for security updates, which is a good thing! However, be forewarned that some PDFs don't display properly or at all. You may want to look at the integrated document reader in Windows 8, Modern Reader, as another alternative. Users running Linux have even more choices when it comes to free PDF viewers, some of which can handle other document formats.

This was last published in June 2013

Dig Deeper on Securing Productivity Applications

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

For me personally I prefer the in browser PDF reader simply because I can view a document without having to download it. I'm OK with downloading if I know I'm going to need to spend some quality time with a document. With Adobe Reeder, I have to download it first. On Firefox, I can decide based on what I red if I want to download the file.
Cancel
Maybe I'm missing something, but on my Mac I can read .pdfs natively or with Preview. Why would I want to load a separate plugin to a browser or gum up my system with extra programs? Maybe I'm not in the holiday spirit yet, but SIMPLIFY is still the order of the day, isn't it?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close