Mozilla debuts in-browser PDF, patches 13 Firefox bugs
Argues that new built-in PDF view will keep users safer
Computerworld - Mozilla today released Firefox 19, adding a built-in PDF viewer to the browser.
The integrated viewer was the one noticeable change to users, although Mozilla enhanced under-the-hood features as well for website developers, and added support for additional HTML5 standards.
Firefox 19 also included patches for 13 security vulnerabilities, 10 pegged as "critical," the company's most severe threat ranking.
But the inclusion of a PDF viewer was what Firefox users will see. The viewer was once slated for Firefox 18 -- it was part of that edition's beta -- but Mozilla pulled the component before shipping the browser early last month, delaying it until the next iteration in its every-six-week release cycle.
With the move, Mozilla follows in Google's footsteps: The search giant baked a PDF viewer into Chrome more than two years ago.
But unlike Chrome's PDF viewer, which operates inside the browser's anti-exploit sandbox, Firefox's does not sport similar defenses. And that matters, as PDF documents are often rigged with malicious code.
Adobe, for example, said last weekend that it plans to patch the Reader plug-in this week to stifle attacks exploiting a pair of vulnerabilities. And Foxit, another popular PDF browser plug-in, quashed a bug of its own less than five weeks ago.
Even sans a sandbox, Mozilla claimed its PDF viewer would be more secure than traditional plug-ins such as Adobe Reader. "Many of these plug-ins come with proprietary, closed source code that could potentially expose users to security vulnerabilities," said Bill Walker and Brendan Dahl, engineering manager and software engineer at Mozilla, respectively, in a January blog announcing the viewer.
But security experts have pointed out that Firefox's PDF viewer will likely suffer bugs of its own.
"I would have to imagine that it has just as much potential to have bugs as any other software," said Andrew Storms, director of security operations at nCircle Security, in an interview Tuesday conducted via instant messaging. "It would appear they are banking on the open-source community to provide better security than the closed source commercial PDF viewer from Adobe. By pulling the PDF reader 'in house' via an open-source initiative, it lets them release bug fixes much faster and on their own schedule."
Storms was echoing comments made last month by other security professionals.
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Mozilla defers Firefox's new 'Australis' UI to April
- Mozilla resets Metro Firefox ship date to mid-March
- Mozilla ships Firefox 26 with opening click-to-play move
- Mozilla banked $274M in '12 from Google-Firefox search deal
- Google trumpets Chrome's SPDY gains
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts