Alternative PDF Viewers Lag Behind Adobe Reader in Security

Posted by Sanford Bingham on Apr 1, 2010 5:28:00 PM

pdf viewersOur colleague Vivek Unune has pointed out yet another attack related to PDF files. 

This one is a bit unusual in that it exploits a PDF language feature (launch action for embedded files), rather than a specific vulnerability. This means that it impacts not only the Adobe Reader, but probably all full-featured PDF viewers (though not all PDF viewers are full featured, see below).

At least one PDF viewer, Foxit Reader, appears to be more vulnerable to this particular exploit than the Adobe Reader. This is not unusual:  most of the PDF exploits that have been uncovered so far, especially the ones related to JavaScript, affect most, if not all, other PDF viewers at least as much as they do the Adobe viewer (

This particular attack requires that the user actively allow the exploit to run, though as the author points out it is quite possible to mask this in such a way as to make it likely that users will go along (and in Foxit the exploit just runs, with no user interaction required). Preventing the exploit in the Adobe viewer is relatively simple (uncheck the box at Edit>Preferences>Trust Manager: Allow opening of non-PDF file attachments with external applications).

The reason one hears so much less about other vulnerable PDF applications is presumably that they are much less widely used.  While there are a great many PDF viewers (see, only one of them has any significant market share. I can't cite any real data for this claim (if anyone has statistics on penetration levels please send it), but my guess is that the distribution of PDF viewers is similar to that in the Office productivity market (MS Office vs. Corel and Open Office etc.), where the Microsoft share is about 80% overall (see In the PDF world I'd bet that the combined share of all non-Adobe PDF viewers is less than 10% of the total, with the Adobe viewer having the other 90%.

With this in mind I was intrigued to read a review by Duff Johnson of Appligent,, in which he analyzes a few alternative PDF viewers and finds each of them wanting in many important respects, relative to Adobe's viewer. This functionality-gap is the result of Adobe having invented PDF and working with it longer, with more resources, than anyone else.

Just as we have seen Microsoft over the past five years, perhaps longer, make security a primary objective so too do we now see Adobe prioritizing the effort to stop vulnerabilities. Today the case can reasonably be made that Windows is the most secure OS available (see,, etc.), and the same can be said about the Adobe 9.x viewers relative to all other PDF viewers. Adobe's statements around the beta of the next Acrobat release suggest that security will be an even more important part of that product, along with a variety of other features and functionality that we will discuss as soon as we are permitted to do so.

I should point out that FileOpen's encryption tools work with PDFs generated from a wide range of third-party PDF creation tools, in addition to Adobe Acrobat, as long as the PDFs are compliant with the PDF Specification, now an ISO standard. On the client-side, however, we currently support the Adobe Viewer for secure PDF viewing (in part for the security reasons mentioned above). We have also developed the FileOpen document viewer which can convert PDF content and display it securely in any Flash-enabled web browser, without any need for a client plug-in.

Topics: document control FileOpen pdf security pdf encryption