Mozilla Launches In-Browser PDF and Bug Patches

Mozilla Firefox Logo | Wikipedia

Mozilla Firefox Logo | Wikipedia

Last Tuesday, Mozilla released Firefox 19, which features a built-in PDF viewer. Aside from that, they’ve enhanced under-the-hood features for website developers, and added support for HTML5 standards. Firefox 19 also includes patches for 13 Firefox bugs, 10 of which were pegged as “critical.”

Meet Firefox’s Built-in PDF Viewer

Among the changes brought by Forefox 19, the inclusion of PDF viewer was the most noticeable. The feature was once slated for Firefox 18 as part of that edition’s beta, but it was pulled back before the browser was shipped earlier this month. Thus, the browser’s next iteration encountered some delays.

The built-in PDF viewer is a byproduct of a Mozilla Labs project dubbed as PDF.js. The “js” stands for JavaScript, which together with HTML5 application programming interface, was used to build the browser’s viewer.

With the release of Mozilla’s built-in PDF viewer for Firefox 19, it appears that they are following the footsteps of Google Chrome. The search engine giant also released a PDF viewer in their Chrome more than two years ago.

Security Risks of PDF Viewer on Mozilla

However, Chrome’s PDF viewer operates inside the browser’s anti-exploit sandbox, while Firefox doesn’t have the same defenses. The said defense is very important as PDF documents are usually rigged with malicious code.

But Mozilla claims that even without the sandbox, their PDF viewer would be more secure than traditional plug-ins like Adobe Reader. As posted by Mozilla’s Engineering Manager Bill Walker and Software Engineer Brendan Dahl in a January blog, “Many of these plug-ins come with proprietary, closed source code that could potentially expose users to security vulnerabilities.”

However, security experts pointed out that Firefox’s PDF viewer is likely to suffer bugs of its own. According to Andrew Storms, director of security operations at nCircle Security:

I would have to imagine that it has just as much potential to have bugs as any other software. It would appear they are banking on the open-source community to provide better security than the closed source commercial PDF viewer from Adobe. By pulling PDF reader “in house” via an open-source initiative, it lets them release bug fixes much faster and on their own schedule.

Storms reflect comments made by other security professionals last month. On the other hand, Firefox 19 renders PDF documents for viewing and printing without requiring a separate plug-in, following a 2010 move by Google Chrome.

Leave a Comment