Sunday, 9 August 2015
Fasten you seat belt Dorothy, 'cause your PDF is going bye-bye
You may have heard of this already, because it is already a couple of days old, and probably you have already received a security update that patches the vulnerability that allows Firefox's built-in PDF reader to read any file that you have access to, but the fact that an exploit for this has been spotted in the wild last week chills me to the bone. We all use web browsers, on a daily basis I guess, and many developer hours go into making them such that remote sites cannot, under any circumstances, break out of that sandbox the browser provides to a web app. The fact that a malicious PDF file can be used to read any file I have permission to tells me something in that area went terribly wrong. Since it is unlikely that this is the last such vulnerability to be discovered and used against the users, you should always keep reminded that the only reason nothing evil has happened to you so far is that most of the time you are browsing sites that don't want to do anything evil to you.