Protecting Against Malware While Viewing PDF Files

Sometimes, even geeks have brain farts.  Evidently, Gizmo’s Freeware had such a brain fart when they published “Eight PDF Files You Don’t Want to Open”.  I mean, really?  It doesn’t take a genius to figure out that someone wanting to cause mayhem only has to rename those files to something else and send them back out.

However, the article, and the site, had at least one redeeming feature, which made the adventure worthwhile.  The article includes a link to “How to Disable JavaScript in Popular Free PDF Readers”, which tells you what the problem is (Javascript) and how to disable it.  This is well worthwhile unless you deal a lot with documents requiring it to be turned on.

I have to admit that I never realized that the issues with PDFs are because of Javascript.  It was the curiosity of trying to figure out what the real problem is that led me down this trail to begin with.  Otherwise, and I’m sure I’m not alone, it is hard to imagine how a document can cause issues.  So, if you do not need JavaScript in your documents, it is best to disable it.

What sort of documents need JavaScript?  Typically, they are forms that are filled in and then saved or printed out.  If you run across these (and trust the source!), you could always temporarily turn it back on while working on the form.  In some cases, it might be better to print the form out and fill it in by hand.  Adobe Reader will display “JavaScript is currently disabled and this document uses it for some features…” if the document requires it.

Also, it is worthwhile to note that Google Chrome has a built-in PDF viewer.  Disabling it will cause it to use the Acrobat Reader plug-in instead.  Enter “chrome:plugins” into the address bar, look for Chrome PDF Viewer and click on Disable.  Now, since Adobe Reader has JavaScript disabled, it will open in the Adobe Reader plug-in and not run any JavaScript.

Apparently, Firefox also has an integrated PDF viewer called PDF.js.  Yes, if you noticed that extension, it is written in JavaScript, the same thing we are working to avoid.  However, because this is in the browser, it should be sandboxed and not allowed to execute outside of the browser.  It is not an extension, so you are not tied to the security consciousness of the third party plug-in developer.  Of course, you are tied to the security consciousness of the browser developer.  However, I don’t know how it handles JavaScript within PDF files themselves, so if you really want to be safe and use a PDF reader plugin (that has JavaScript turned off, naturally) instead, you can change this via Firefox Options.

Personally, I have seen very few forms that justify verification of form-filled data, and most of those are government forms.  Anything else, though, you might want to question if it needs to run JavaScript.