Microsoft should add a basic PDF viewer to Windows to help protect users from the spike in attacks exploiting bugs in Adobe's Reader, a security researcher said Friday.
And the /Launch function, which allows PDF documents to run embedded executable files, is currently being exploited by attackers in a widespread malicious message campaign that tries to trick users into opening a rigged PDF.
Sullivan spelled out his case in more detail in a post to the F-Secure security blog on Thursday. "Your customers are tired of the exploits and the complications that so many of today's PDF readers include," said Sullivan in a "Dear Microsoft" missive.
"They should write a really simplified viewer, one that just previews PDF," Sullivan added Friday in a telephone interview. "They don't even need to build it into the operating system. They can make it an optional download like they did the 'Save As PDF' add-in for Office."
Although Microsoft intended to add support for saving documents in the PDF file format to Office 2007, it was forced to backtrack when Adobe baulked. Instead, Microsoft built a "Save as PDF" add-on that it made available free of charge. After Adobe submitted the PDF/A specification to the ISO (International Organization for Standardization) in 2008, Microsoft added "Save As PDF" support to its suite with the release of Office 2007 Service Pack 2 (SP2) a year ago. The same feature is available in Office 2010.
Office cannot open PDF documents without third-party software or add-ons, however. Windows 7 's and Windows Vista's preview feature also won't display PDFs. Instead, Microsoft has promoted, with little success, a substitute for PDF dubbed XPS (XML Paper Specification); an XPS viewer is bundled with Windows 7, for example.
"The PDF specification has been completely royalty-free since 2006," said Sullivan, noting that Microsoft would not have to pay Adobe if it did craft a viewer of its own. "There's no reason why it can't create a native PDF viewer. It could even let users toggle it on and off, if it [were] worried about antitrust [issues]."
Several times, Sullivan compared his vision of a Windows PDF viewer to Preview, the application that Apple includes with Mac OS X. But Preview is not bug free: In March, researcher Charlie Miller said he'd found more than 60 PDF files on the Web that could be used to crash and likely exploit Preview .
Even so, Sullivan argued that Microsoft, or failing that, Adobe itself, should develop a stripped-down PDF viewer that omitted the functionality and features hackers have exploited. "I wish Adobe would create two different versions of Reader, one maybe 'Reader Lite' that's really just a viewer," he said.