Mozilla debuts in-browser PDF, patches 13 Firefox bugs
Argues that new built-in PDF view will keep users safer
Computerworld - Mozilla today released Firefox 19, adding a built-in PDF viewer to the browser.
The integrated viewer was the one noticeable change to users, although Mozilla enhanced under-the-hood features as well for website developers, and added support for additional HTML5 standards.
Firefox 19 also included patches for 13 security vulnerabilities, 10 pegged as "critical," the company's most severe threat ranking.
But the inclusion of a PDF viewer was what Firefox users will see. The viewer was once slated for Firefox 18 -- it was part of that edition's beta -- but Mozilla pulled the component before shipping the browser early last month, delaying it until the next iteration in its every-six-week release cycle.
With the move, Mozilla follows in Google's footsteps: The search giant baked a PDF viewer into Chrome more than two years ago.
But unlike Chrome's PDF viewer, which operates inside the browser's anti-exploit sandbox, Firefox's does not sport similar defenses. And that matters, as PDF documents are often rigged with malicious code.
Adobe, for example, said last weekend that it plans to patch the Reader plug-in this week to stifle attacks exploiting a pair of vulnerabilities. And Foxit, another popular PDF browser plug-in, quashed a bug of its own less than five weeks ago.
Even sans a sandbox, Mozilla claimed its PDF viewer would be more secure than traditional plug-ins such as Adobe Reader. "Many of these plug-ins come with proprietary, closed source code that could potentially expose users to security vulnerabilities," said Bill Walker and Brendan Dahl, engineering manager and software engineer at Mozilla, respectively, in a January blog announcing the viewer.
But security experts have pointed out that Firefox's PDF viewer will likely suffer bugs of its own.
"I would have to imagine that it has just as much potential to have bugs as any other software," said Andrew Storms, director of security operations at nCircle Security, in an interview Tuesday conducted via instant messaging. "It would appear they are banking on the open-source community to provide better security than the closed source commercial PDF viewer from Adobe. By pulling the PDF reader 'in house' via an open-source initiative, it lets them release bug fixes much faster and on their own schedule."
Storms was echoing comments made last month by other security professionals.
- Workarounds to purge search bar from Firefox's new tab page are available
- Mozilla ships Firefox 31, adds search to new tab page
- Microsoft's IE steps back from the brink of irrelevance
- Firefox falters, falls to record low in overall browser share
- Firefox risks user backlash by adding search box to new tab page
- Google unseats Microsoft as the U.S. browser powerhouse
- Safari, Chrome push to mask URLs
- Chrome on Windows champs at the 64-bit
- Google pulls trigger, cripples some Chrome add-ons
- Microsoft shoots to shorten Internet Explorer's long tail
- The DDoS Threat Spectrum Bolstered by favorable economics, today's global botnets are using distributed denial-of-service (DDoS) attacks to target firewalls, web services, and applications, often simultaneously.
- Need to Replace MS Threat Management Gateway? Read this article to learn how F5's Secure Web Gateway solution provides a full set of features that can help you successfully migrate...
- The Shortfall of Network Load Balancing Applications running across networks encounter a wide range of performance, security, and availability challenges as IT department strive to deliver fast, secure access...
- Leave No App Behind with Software Defined Application Services F5 Software Defined Application Services (SDAS) is the next-generation model for delivering application services that enables service injection, consumption, automation, and orchestration across...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Web Apps White Papers | Webcasts