PDFs that fink

Here’s a tricky little privacy hole: Adobe PDF Reader 6.0 and later will automatically (and silently) execute Javascript that’s been embedded in a PDF file, and LWN reports that a company called Remote Approach uses this “feature” to tag a PDF so it’ll phone home to their servers whenever it’s opened. Their customers can then go to a special webpage to track when the PDF was opened and at what IP address.

I’m sure you can think of your own scenarios where this would be a Bad Thing™, but the case that brought it to my attention was from a supposedly-anonymous reviewer of an academic paper who discovered Remote’s website in his firewall logs.

The simple moral of the story is that content formats should not be able to run arbitrary code, but the more general point is one of setting limits and expectations. End-users need to be able to limit what’s run on their own computers, and when the actual limits are broader than what a naive user might expect (such as when their supposedly-static PDF document can actually access the network) it’s extra important for the system to alert the user what’s happening and get permission first.

To their credit, Adobe seems to have heeded the moral: the current version of Acrobat Reader (at least on the Mac) gives a pop-up warning saying the PDF is trying to access a remote URL, and allows you to save your security settings on a site-by-site basis. I don’t know when they added this alert or whether it was in response to problems like those I mentioned, but regardless it’s nice to see the feature.

(Thanks to Dirk for the link.)