Safety of viewing PDF files in PDF-XChange Viewer

[Impress]

I need to view multiple PDF files sent to me from a party who I do NOT trust.

Naturally, I have thoroughly scanned the files for viruses and other malware. None are reported.

When a PDF file is viewed in PDF-XChange Viewer, is there anything to be concerned about?

For example:

• 1. Can a PDF file viewed in PDF-XChange Viewer "phone home" to indicate that the file was viewed?
  2. Can a PDF file viewed in PDF-XChange Viewer run executable code?
  3. Anything else to be concerned about?

What I've already done:

• A. In Security Options, set "Allow Launch Actions" and "Allow File Attachments opening" both to "Never"
  B. In Security Options, unchecked "Open documents' URL(s) without confirmations"
  C. In JavaScript Options, unchecked "Enable JavaScript Actions"
  D. In JavaScript Options, checked "Show warning when JavaScript action executes"

Interestingly, when I open some trusted PDF files that contain JavaScripts, even with the above settings, I get asked if I want the JavaScripts to run.

[Patrick-Tracker Supp]

Hello Impress,

Thank you for the post. Although it is highly recommended that you never open things from bodies you do not trust, here are a few things to take note of:

1. Can a PDF file viewed in PDF-XChange Viewer "phone home" to indicate that the file was viewed?

There is no way that can happen.

2. Can a PDF file viewed in PDF-XChange Viewer run executable code?

Within a PDF, you can set a link to open a an executable, however that executable would need to be on the computer to begin with. If it were set to a web link, the Viewer will ask if you wish to open the link. In short, I would not worry about executables within a PDF.

3. Anything else to be concerned about?

Yes. It is rather easy to trick an email client that something is a PDF when it is not. I would be weary of opening any file from an untrusted source.

I do not know the context with which you have received the PDF, so I will not advise on what you should do.

I hope this information helps you come to an informed decision.

[/Interestingly, when I open some trusted PDF files that contain JavaScripts, even with the above settings, I get asked if I want the JavaScripts to run.quote]

If you have "Show warning when JavaScript action executes" enabled, you will get a warning regardless of the other settings.

HTH

[Impress]

Hello Impress,

Thank you for the post. Although it is highly recommended that you never open things from bodies you do not trust, here are a few things to take note of:

1. Can a PDF file viewed in PDF-XChange Viewer "phone home" to indicate that the file was viewed?

There is no way that can happen.

That's great news! Thank you!

2. Can a PDF file viewed in PDF-XChange Viewer run executable code?

Within a PDF, you can set a link to open a an executable, however that executable would need to be on the computer to begin with. If it were set to a web link, the Viewer will ask if you wish to open the link. In short, I would not worry about executables within a PDF.

When you say that the executable would need to be on the computer to begin with, is it possible for a PDF to have an embedded executable, something akin to it having embedded fonts?

What do you think of adding an options to prevent any links from opening executables, or perhaps even HTTP URLS?

3. Anything else to be concerned about?

Yes. It is rather easy to trick an email client that something is a PDF when it is not. I would be weary of opening any file from an untrusted source.

I agree completely! FWIW, I know that the files all contain PDF data because I am able to open all the ones I have received in PDF-XChange Viewer. If it can be viewed in PDF-XChange Viewer, then it is safe, correct?

I do not know the context with which you have received the PDF, so I will not advise on what you should do.

I'll provide the context in case it is relevant. I am a suing two parties in a court of law. The Defendents have shown egregious unethical conduct in the past. They have hired a defense lawyer who has a history of inappropriate behavior and has been sanctioned more than once for his actions. They have sent me hundreds of pages in dozens of PDF files that I need to read as part of the case. I could insist they print them all out, but if opening the PDF's is completely safe, it is a much more usable (and searchable) format.

I hope this information helps you come to an informed decision.

Definitely. Thank you very much.

[Interestingly, when I open some trusted PDF files that contain JavaScripts, even with the above settings, I get asked if I want the JavaScripts to run.

If you have "Show warning when JavaScript action executes" enabled, you will get a warning regardless of the other settings.

HTH

Why is that? Do you think it might make more sense if, when executing JavaScripts is disabled, to bypass any warnings.
Am I correct in understanding that, if in JavaScript Options, "Enable JavaScript Actions" in unchecked, that no JavaScript will ever run no matter how the user responds to the warnings?

Also, does the option "Enable JavaScript Interactive Console" have any effect if "Enable JavaScript Actions" is unchecked? It is currently checked, but dimmed.

Thank you again for all your help! PDF-XChange Viewer is a fine example of great programming and design.

[Patrick-Tracker Supp]

Hello Impress,

is it possible for a PDF to have an embedded executable, something akin to it having embedded fonts?

That is not possible.

What do you think of adding an options to prevent any links from opening executables, or perhaps even HTTP URLS?

I believe you are looking for these options in the Editor found under Edit-->Preferences--> Security:

FWIW, I know that the files all contain PDF data because I am able to open all the ones I have received in PDF-XChange Viewer. If it can be viewed in PDF-XChange Viewer, then it is safe, correct?

Indeed, then they are definitely PDF. You can open PDF in a text editor (such as notepad) to see the underlying encoding. Below are the first few lines of a document on my PC:

Code: Select all

%PDF-1.4
%âãÏÓ
1 0 obj
<<
/CreationDate (D:20150303132828-08'00')
/Creator (PDF-XChange Editor 5.5.312.1)
/ModDate (D:20150303154547-08'00')
/Producer (PDF-XChange PDF Core API \(5.5.312.1\))
>>

You can see the legitimacy of the file that way (the first few lines are more important), and, due to the basic nature of Notepad, it is completely safe.

Do you think it might make more sense if, when executing JavaScripts is disabled, to bypass any warnings.

I believe that is governed by the International Organization of Standardization (ISO), so that people will know when JS is supposed to, or trying to be run, regardless of settings.

does the option "Enable JavaScript Interactive Console" have any effect if "Enable JavaScript Actions" is unchecked? It is currently checked, but dimmed.

None at all. The JavaScript console is so you can write/edit JavaScript in a PDF, or apply it to a PDF. If JS is disabled, the JavaScript Console remains inaccessible.

Thank you again for all your help! PDF-XChange Viewer is a fine example of great programming and design.

Thank you for your kind words! I am always happy to help!

[Impress]

That is not possible.

That's also great news!

I believe you are looking for these options in the Editor found under Edit-->Preferences--> Security ...

The options in PDF-XChange Viewer are a little different than those. You can set 'Allow Launch Actions' to 'Never'. Will that prevent anything from being launched, even HTTP or HTTPS URL's?

Indeed, then they are definitely PDF. You can open PDF in a text editor (such as notepad) to see the underlying encoding...

Great, thanks. I always tell people "Notepad is your friend!"

I believe that is governed by the International Organization of Standardization (ISO), so that people will know when JS is supposed to, or trying to be run, regardless of settings.

Is there any way to configure PDF-XChange viewer to get rid of JS notifications and at the same time have JS completely disabled?

None at all. The JavaScript console is so you can write/edit JavaScript in a PDF, or apply it to a PDF. If JS is disabled, the JavaScript Console remains inaccessible.

Perfect. Thanks.

Thank you for your kind words! I am always happy to help!

You and your team are top-notch in my book!

[Patrick-Tracker Supp]

Hi Impress

You can set 'Allow Launch Actions' to 'Never'. Will that prevent anything from being launched, even HTTP or HTTPS URL's?

I believe they function the same. In the Editor, It will ask you if you wish to open link when you click on it. In the Viewer, it simply will do nothing.

Is there any way to configure PDF-XChange viewer to get rid of JS notifications and at the same time have JS completely disabled?

All you need to do is turn off the "Show warning when JavaScript executes", and be sure that "Enable JavaScript Actions" is not enabled.

HTH