Problem solve Get help with specific problems with your technologies, process and projects.

Is Firefox PDF reader a secure alternative to Adobe Reader?

Expert Michael Cobb examines Mozilla’s Firefox PDF reader and discusses whether it is more secure than Adobe Reader.

Mozilla included a built-in PDF reader as a default feature in Firefox 19. How does it work, and is it safer than...

other PDF readers like Adobe Reader or Foxit?

Ask the Expert! expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)

Mozilla's PDF reader has been part of Firefox for several versions, but it had to be manually enabled prior to version 19. The Firefox PDF reader was switched on by default for the first time in the Firefox 18 beta and fully integrated as the default PDF reader in version 19. As a result, Windows, Mac and Linux users no longer need to rely on plugins to view PDFs. The PDF reader loads and renders PDFs directly in the browser by using PDF.js, a JavaScript library that converts PDF files into HTML5 using standard HTML5 APIs.

Mozilla introduced a built-in PDF reader, in part, to reduce the need for plugins with proprietary source code that, according to Mozilla, "could potentially expose users to security vulnerabilities." Another initiative to tackle plugin security issues is its Click-to-Play feature. By default Click-to-Play restricts all browser plugins, except the latest version of Flash, from loading until a user gives it permission.

Adobe Reader has been widely exploited over the last few years. Most PDF exploits, including recent zero-day exploits, have taken advantage of vulnerabilities in Adobe Reader's rendering engine rather than its parsing engine. (Adobe probably realized some time ago that malformed structures and content would cause problems so concentrated on hardening the parsing engine.) Mozilla's approach is to take the structure of the PDF and translate it into a DOM structure, which can then be rendered by the browser's standard HTML renderer and interacted with via JavaScript. This removes a large portion of the attack surface, leaving only the security of the document translation engine as an attack vector. If a PDF files contains an exploit for Adobe Reader, opening the file using pdf.js will prevent the exploit from working.

Any real exploitable flaws in Mozilla's viewer are likely to be reliant on a secondary one that could be exploited through other means, such as a bug in the HTML5 renderer or JavaScript interpreter. To obtain an arbitrary code execution exploit out of JavaScript, you have to find a hole in the JavaScript engine itself, as errors in scripts written in JavaScript lead only to an exception.

Mozilla's reader is certainly faster than a plugin reader, as the user doesn't have to download the content to read it in Foxit or Adobe Reader, or fire up a plugin. It also means less reliance on Adobe for security updates, which is a good thing! However, be forewarned that some PDFs don't display properly or at all. You may want to look at the integrated document reader in Windows 8, Modern Reader, as another alternative. Users running Linux have even more choices when it comes to free PDF viewers, some of which can handle other document formats.

This was last published in June 2013

Dig Deeper on Productivity apps and messaging security