More on TechnologyTell: Gadget News | Apple News
Previous
-
Free e-books
Comments
"@Karel Rei it's the second link on the results page (does take a while to process for those bigger files, though if you provide your email ..."Dmitry on "FB2 to PDF conversion for Kindles and other ereaders - Posted on February 14, 2012
"I guess Amazon will discover how long it's taking me to read Moby Dick! ..."C. Bailey Sims on "How Publishers Misunderstand Kindle, by Ted Striphas - Posted on February 14, 2012
"I agree with MarylandBill, I think most super bookworms have already purchased at least one eInk reader, they would have been the early adapters, not ..."Common Sense on "Is the tablet killing the ereader? - Posted on February 14, 2012
"I have had a Kindle since V2, but I doubt Amazon knows a whole lot about my e-reading preferences. I think I've turned the wireless ..."Wendy on "How Publishers Misunderstand Kindle, by Ted Striphas - Posted on February 14, 2012
"@MarylandBill I read more than a novel a week (more like 3-4), and I find the tablet superior, still. But based on what I've been ..."Juli Monroe on "Is the tablet killing the ereader? - Posted on February 14, 2012
More Comments...
Contact
PAUL BIBA is TeleRead's Editor. Reach Paul with news items or other TeleRead business at
pbiba at napco dot com.
SUBSCRIBE TO RSS
Comments:
Until more detailed analysis comes in, I’ll withhold judgment on how serious the vulnerability is for the current PDF and Adobe products, but it does show that allowing arbitrary executable code in a document format (whether Javascript in a PDF or arbitrary Java in some proposed ebook formats or DRM schemes) makes all kinds of exploits possible, and it is very difficult to make sure you’re got all the possible holes plugged– especially since many vulnerablites come from the interaction of executable features.
In particular, if the code can retrieve sensitive information from your local system, *and* can also access arbitrary URLs, then those two features put together potentiallly allow strangers to access sensitive linformation from your local system. (Asking permission to access the URL gives only limited protection;the sensitive information may get obfuscated in a URL or form parameter whose significance is not readily apparent to a user.)
Which just goes to show that format designers should think very carefully before adding scripting or other executable-code features in their formats, and readers of electronic content should think carefully before allowing content in such formats on their systems.
John, thanks for the informative and restrained comments. We’ll wish Adobe and others the best of luck in getting to the bottom of this. Of course, security considerations should be very much on the minds of all e-book format designers—and standards-setters. I’d prefer that the vetting happen from outside the vendor community, or at least with the participation of disinterested experts, not just the usual suspects. Meanwhile I hope you’ll keep us up to date as more facts come out. Thanks again. – David
Kind of amusing, considering that the forerunner of PDF was Postscript, which was a fully executable language. I think the vulnerabilities (if any) are in Adobe Reader, not PDF.
“…in Adobe Reader, not PDF.”
But they might as well be the same if you want to read DRMed PDF of the kind that the big publishers favor
Great illustration of the need to separate formats from readers!
David
Does anyone really want to read EBX-DRM’d PDF (or play any-DRM’d music)? Don’t let anecdotal evidence from that small band of early adopters who bought into the failed 1998 idea of what an ebook would be, and have so far refused to recognize that the future didn’t actually turn out that way, mislead you into thinking that EBX-DRM’d PDF is a signficant fraction of the PDF-reading whole.
In a very real way, the PDF format is already separated from any particular reader. I’m sure Adobe wishes it weren’t so, but it is.