May 03, 2010, 10:33 AM — Microsoft should add a basic PDF viewer to Windows to help protect users from the spike in attacks exploiting bugs in Adobe's Reader, a security researcher said Friday.
And the /Launch function, which allows PDF documents to run embedded executable files, is currently being exploited by attackers in a widespread malicious message campaign that tries to trick users into opening a rigged PDF.
Sullivan spelled out his case in more detail in a post to the F-Secure security blog on Thursday. "Your customers are tired of the exploits and the complications that so many of today's PDF readers include," said Sullivan in a "Dear Microsoft" missive.
"They should write a really simplified viewer, one that just previews PDF," Sullivan added Friday in a telephone interview. "They don't even need to build it into the operating system. They can make it an optional download like they did the 'Save As PDF' add-in for Office."
Although Microsoft intended to add support for saving documents in the PDF file format to Office 2007, it was forced to backtrack when Adobe balked. Instead, Microsoft built a "Save as PDF" add-on that it made available free of charge. After Adobe submitted the PDF/A specification to the ISO (International Organization for Standardization) in 2008, Microsoft added "Save As PDF" support to its suite with the release of Office 2007 Service Pack 2 (SP2) a year ago. The same feature is available in Office 2010.