Alejandro Exojo <[EMAIL PROTECTED]> wrote: > El Viernes, 11 de Febrero de 2005 17:21, Jay Berkenbilt escribiÃ: >> That isn't to say that it is impossible to create a security hole >> through a PDF file, but it's more comparable to html in that respect >> than to PostScript. ÂIn other words, you could include a malicious >> link or put invalid PDF data that would exploit a security hole in a >> specific PDF viewer, but you can't actually embed malicious code. > > Really? > > http://lists.kde.org/?l=kde-core-devel&m=110470798901386&w=2 > > I'm a PDF ignorant, so maybe I misunderstood something.
This article points to the fact that you can create a link in a PDF that opens an application. This is the kind of thing I meant when I said that a PDF could include a malicious link in the same way HTML code could, though PDF can do it in a more generalized way. Since you could embed the application "rm -rf /" in a PDF, I'll have to back off a bit on my original point, so thanks for the correction. The difference here though is that you could create a postscript file that would remove files just by having you load it in ghostscript, whereas the user would have to actually select a link in this example, but in some ways, this is splitting hairs. It's certainly somewhat more difficult to examine the target of the link in a PDF than in HTML, but as the article you referenced points out, the viewer can help with this. Thanks for making this point in response to my message. I don't want my message to lull anyone into a false sense of security -- you and Martin are correct that it would be possible to create a PDF that has damaging code in it in that sense. Sorry for the confusion. -- Jay Berkenbilt <[EMAIL PROTECTED]>
