0

As PDF may contain malicious code, is there any easy to use file format providing the same features ?

If not, could you share recommendations to limit the attack surface for average users ? (exclude Qubes, sandboxes, scans, ...)

schroeder
  • 129,372
  • 55
  • 299
  • 340
Sumak
  • 103
  • 3
  • Short answer: no – schroeder May 30 '23 at 20:39
  • 1
    Many PDF viewers simply don't support the ability to run JavaScript or other code, so if that's not a feature you need, one of those viewers may be beneficial for security (although other security-sensitive bugs could still exist). – bk2204 May 30 '23 at 21:52
  • PDF/A is a subset of PDF functionality that e.g. disallows JavaScript. This is good for portability and safety, but PDF remains a fairly complex format. If exact layout shall be preserved, there is no real alternative. However, users can't easily tell whether a PDF conforms to PDF/A (most don't), so this won't help users improve security. Strong sandboxing (like opening PDFs in Chrome/Firefox rather than Adobe software) is probably the best approach. – amon Jun 01 '23 at 18:51

1 Answers1

4

easy to use file format providing the same features ?

The ability to contain code is a feature of PDF, not a bug. So if you are asking for same features you ask for the ability to execute code too.

Code being malicious is less a feature of the PDF format itself, but more of the execution environment, i.e. the PDF reader and the platform it is running on: if the environment does not provide free access to the internet then the code running inside cannot freely access the internet, if the environment does not provide access to users files then the code cannot access user files.

Malicious code might exploit vulnerabilities in the PDF engine - but that's not a problem/feature of the format but instead these are bugs in the implementation.

So to be on the safe side it is best to run the PDF reader in a very restricted environment (virtual machines, container, sandboxes, ...), where it has no access to anything you want to have protected. See also How to safely view a malicious PDF?.

But this recommendation isn't true for a PDF reader only, it's basically the same for any kind of application which processes potentially untrustworthy data. That's why modern browsers (and also some PDF readers) make heavy use of internal privilege separation and sandboxes and there are remote browser isolation products which even run the browser on a different machine in a separated network.

... limit the attack surface for average users ?

Based on the security browsers try to achieve it is therefore also an easy and cheap solution to open the PDF with a modern browser. The features of this reader might be limited (but sufficient for common use) but the security offered is likely sufficient for users which are not the target of more advanced directed attacks.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
  • Thanks a lot for your answer. Do you know PDF readers designed to protect users facing advanced directed attacks ? – Sumak May 31 '23 at 09:54
  • 2
    @Sumak: You specifically exclude in your question technologies which are typically used in such scenarios - not only for reading PDF but in general for dealing with potentially malicious input. There is usually a trade-off between achievable security and usability and you need to pick your own balance based on the threats you face. – Steffen Ullrich May 31 '23 at 10:02
  • You're right. Thanks anyway ! – Sumak May 31 '23 at 12:41