Mozilla debuts in-browser PDF, patches 13 Firefox bugs

Argues that new built-in PDF view will keep users safer

Mozilla today released Firefox 19, adding a built-in PDF viewer to the browser.

The integrated viewer was the one noticeable change to users, although Mozilla enhanced under-the-hood features as well for website developers, and added support for additional HTML5 standards.

Firefox 19 also included patches for 13 security vulnerabilities, 10 pegged as "critical," the company's most severe threat ranking.

But the inclusion of a PDF viewer was what Firefox users will see. The viewer was once slated for Firefox 18 -- it was part of that edition's beta -- but Mozilla pulled the component before shipping the browser early last month, delaying it until the next iteration in its every-six-week release cycle.

Firefox's PDF viewer came out of a Mozilla Labs project initially dubbed "PDF.js," the "js" for JavaScript, which along with HTML5 APIs (application programming interfaces), was used to build the browser's viewer.

With the move, Mozilla follows in Google's footsteps: The search giant baked a PDF viewer into Chrome more than two years ago.

But unlike Chrome's PDF viewer, which operates inside the browser's anti-exploit sandbox, Firefox's does not sport similar defenses. And that matters, as PDF documents are often rigged with malicious code.

Adobe, for example, said last weekend that it plans to patch the Reader plug-in this week to stifle attacks exploiting a pair of vulnerabilities. And Foxit, another popular PDF browser plug-in, quashed a bug of its own less than five weeks ago.

Even sans a sandbox, Mozilla claimed its PDF viewer would be more secure than traditional plug-ins such as Adobe Reader. "Many of these plug-ins come with proprietary, closed source code that could potentially expose users to security vulnerabilities," said Bill Walker and Brendan Dahl, engineering manager and software engineer at Mozilla, respectively, in a January blog announcing the viewer.

But security experts have pointed out that Firefox's PDF viewer will likely suffer bugs of its own.

"I would have to imagine that it has just as much potential to have bugs as any other software," said Andrew Storms, director of security operations at nCircle Security, in an interview Tuesday conducted via instant messaging. "It would appear they are banking on the open-source community to provide better security than the closed source commercial PDF viewer from Adobe. By pulling the PDF reader 'in house' via an open-source initiative, it lets them release bug fixes much faster and on their own schedule."

Storms was echoing comments made last month by other security professionals.

Firefox 19 renders PDF documents for viewing and printing without requiring a separate plug-in, following a 2010 move by Google's Chrome.

Mozilla acknowledged that the viewer was not protected by any special defense, as are malformed PDFs in Adobe's Reader -- at least on Windows, which provides a full-fledged sandbox -- or in Google's Chrome, which sandboxes each tab, isolating a rigged PDF from the rest of the browser.

"PDF.js runs with the same permissions as any Web page though, so there would have to be a security problem with Firefox itself," tweeted the PDF.js team last month in reply to a question about potential security issues with the viewer.

Today, Mozilla stuck to its argument that third-party plug-ins are less secure than Firefox itself, and by burying the PDF viewer inside the browser, users will face fewer threats. "Third-party plug-ins are the number one source of security and stability issues in Web browsers," Johnathan Nightingale, who leads Firefox engineering, said in an email, echoing similar statements by other browser makers. "Firefox uses a JavaScript library called PDF.js instead of handing off to other software...[and] because this support is implemented in JavaScript with the same level of privilege as any other Web page, it avoids many of the memory safety vulnerabilities that have plagued stand-alone plug-ins."

But Storms noted the flip side. "So if this PDF process, as part of Firefox, has a hole, the attacker in theory then owns the browser instead of just the plug-in process," Storms said.

Mozilla also patched 13 vulnerabilities, 10 critical, one marked "high" and two pegged "moderate," in Firefox today.

Nearly half of the bugs were reported by Abhishek Arya, better known as "Inferno," of the Chrome security team, Mozilla said in one of today's advisories, making this the third Firefox upgrade running where Arya has accounted for a major part of the reported vulnerabilities.

Three of the six reported by Arya were use-after-free vulnerabilities, a type of memory management bug that Google's security engineers have rooted out in droves from Chrome and, increasingly, other browsers.

Another of the baker's dozen, also a use-after-free bug, was reported by a researcher known only as "Nils," who is best known for back-to-back victories at the 2009 and 2010 Pwn2Own hacking contests.

Windows, Mac and Linux editions of Firefox 19 can be downloaded manually from Mozilla's site. Already-installed copies will upgrade automatically.

The next version of Firefox is scheduled to ship April 2, 2013.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about web apps in Computerworld's Web Apps Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags web appsGooglesecurityMalware and Vulnerabilitiesmozilla

More about Adobe SystemsAndrew Corporation (Australia)AppleBillGoogleLinuxMicrosoftMozillanCircleTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place