Wednesday, March 31, 2010

Exploiting PDFs

This PoC from Didier Stevens clearly shows how stupid is to allow PDFs to start new processes. We'll end up creating bloated monsters like the current browsers to deal with these files. Can someone please "strip down" the PDF format to something that makes sense again???

I wonder what happened to "pure data" formats; Most of what people needs to do with scripting in PDFs files could be done with a slightly smarter reader and more metadata (adding a form field such as "date_validated" instead of creating a script to validate the date, or "text_uppercase" instead of using scripts to change the content to upper case).

No comments:

Post a Comment