"I would have to imagine that it has just as much potential to have bugs as any other software," said Andrew Storms, director of security operations at nCircle Security, in an interview Tuesday conducted via instant messaging. "It would appear they are banking on the open-source community to provide better security than the closed source commercial PDF viewer from Adobe. By pulling the PDF reader 'in house' via an open-source initiative, it lets them release bug fixes much faster and on their own schedule."
Storms was echoing comments made last month by other security professionals.
Firefox 19 renders PDF documents for viewing and printing without requiring a separate plug-in, following a 2010 move by Google's Chrome.
Mozilla acknowledged that the viewer was not protected by any special defense, as are malformed PDFs in Adobe's Reader -- at least on Windows, which provides a full-fledged sandbox -- or in Google's Chrome, which sandboxes each tab, isolating a rigged PDF from the rest of the browser.
"PDF.js runs with the same permissions as any Web page though, so there would have to be a security problem with Firefox itself," tweeted the PDF.js team last month in reply to a question about potential security issues with the viewer.
But Storms noted the flip side. "So if this PDF process, as part of Firefox, has a hole, the attacker in theory then owns the browser instead of just the plug-in process," Storms said.
Mozilla also patched 13 vulnerabilities, 10 critical, one marked "high" and two pegged "moderate," in Firefox today.
Nearly half of the bugs were reported by Abhishek Arya, better known as "Inferno," of the Chrome security team, Mozilla said in one of today's advisories, making this the third Firefox upgrade running where Arya has accounted for a major part of the reported vulnerabilities.