Mozilla acknowledged that the viewer was not protected by any special defense, as are malformed PDFs in Adobe's Reader -- at least on Windows, which provides a full-fledged sandbox -- or in Google's Chrome, which sandboxes each tab, isolating a rigged PDF from the rest of the browser.
"PDF.js runs with the same permissions as any Web page though, so there would have to be a security problem with Firefox itself," tweeted the PDF.js team last month in reply to a question about potential security issues with the viewer.
Today, Mozilla stuck to its argument that third-party plug-ins are less secure than Firefox itself, and by burying the PDF viewer inside the browser, users will face fewer threats. "Third-party plug-ins are the number one source of security and stability issues in Web browsers," Johnathan Nightingale, who leads Firefox engineering, said in an email, echoing similar statements by other browser makers. "Firefox uses a JavaScript library called PDF.js instead of handing off to other software...[and] because this support is implemented in JavaScript with the same level of privilege as any other Web page, it avoids many of the memory safety vulnerabilities that have plagued stand-alone plug-ins."
But Storms noted the flip side. "So if this PDF process, as part of Firefox, has a hole, the attacker in theory then owns the browser instead of just the plug-in process," Storms said.
Mozilla also patched 13 vulnerabilities, 10 critical, one marked "high" and two pegged "moderate," in Firefox today.
Nearly half of the bugs were reported by Abhishek Arya, better known as "Inferno," of the Chrome security team, Mozilla said in one of today's advisories, making this the third Firefox upgrade running where Arya has accounted for a major part of the reported vulnerabilities.
Three of the six reported by Arya were use-after-free vulnerabilities, a type of memory management bug that Google's security engineers have rooted out in droves from Chrome and, increasingly, other browsers.
Another of the baker's dozen, also a use-after-free bug, was reported by a researcher known only as "Nils," who is best known for back-to-back victories at the 2009 and 2010 Pwn2Own hacking contests.
Windows, Mac and Linux editions of Firefox 19 can be downloaded manually from Mozilla's site. Already-installed copies will upgrade automatically.
The next version of Firefox is scheduled to ship April 2, 2013.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at 
@gkeizer, on Google+ or subscribe to Gregg's RSS feed 
. His email address is gkeizer@computerworld.com.
See more by Gregg Keizer on Computerworld.com.
Read more about Web Apps in Computerworld's Web Apps Topic Center.
Free Insider Guide
Our weekly newsletter will cover a wide range of topics and trends related to consumerization. Stay up to date with news, reviews and in-depth coverage of BYOD, smartphones, tablets, MDM, cloud, social and how consumerization affects IT. Subscribe now!
Copyright © 1994 - 2013 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
