Hacking with PDF (2022)

FWIW, ages ago I wrote the PDFKit framework for the Mac (used by Preview and the built-in PDF viewer in Safari).<p>The only exploit listed here that has a chance of working with Preview&#x2F;Safari (PDFKit) is the URI one — none of the Javascript exploits will work.<p>Why? I never implemented Javascript support [1].<p>Security was extremely important at Apple (there&#x27;s a whole security team that frequently interact with the various project owners around the company, write and deploy file fuzzers, create must-fix Radars around exploits found in the wild, etc.).<p>In fact though I had no idea how I would hoist a Javascript runtime and I didn&#x27;t really have the cycles to implement it if I had known how to. Anyways we were content to support the 99% of PDFs out there.<p>[1] In fact there were a few US tax documents that used very simple Javascript snippets to take the values from two fields, add them, and put the result in a third. Some code in PDFKit I added would identify these few very simple patterns and implement them sans JS runtime.

I&#x27;ve always held the opinion that viewing PDFs in something other than Adobe Acrobat gives the user more of a chance of avoiding such attacks... is there any credence to this or is it just wishful thinking?

This is a great demo, ive been concerned about all these pdfs i like to read, this gives me a little more confidence about tools to scan odfs for attacks.

I’m writing a little tool for analysing a pdf and its internals, if author is interested or anyone else, just let me know :)