I’d love to hear more about why PDFs might be riskier than, say, azw or epub. Is it something inherent in the pdf format, or are pdfs so comparatively common they’re a more attractive vector of attack?
Arbitrary files can be embedded inside a PDF (by design), such as malicious code files. Many PDF readers have security issues allowing for PDFs to automatically allow for code execution of those embedded files, or prompt the user for a click to execute the files.
Just search for something like “executable code inside PDF” and browse through the many results of examples, issues, and tutorials to see.
to add to it, you “can” add anything arbitrary, but it is not same as downloading a executable. Due to some really weird reasons, many parties were interested in using pdfs like interactive forms, for example some government forms, where you can fill a field, and you can add scripting to execute upon input and convey back. It is somewhat like javascript for pdfs, and then the onus is on the pdf readers to be compliant enough to execute such scripts, and provide enough access to your system. Many minimal pdf viewers do not implement these features, or for example pdf viewer in firefox has the option to execute, but disabled by default.
There is scripting on them, and afaik it’s actually javascript. It’s a limited version of it (the actual specification was supposed to allow for data sending and receiving, and complete arbitrary code), but it’s enough to run code. A madlad has ported doom and linux to PDF, and you can fully run them on a compliant enough pdf viewer.
I’ve never encountered malicious content in book form. Avoid PDFs if you are worried.
I’d love to hear more about why PDFs might be riskier than, say, azw or epub. Is it something inherent in the pdf format, or are pdfs so comparatively common they’re a more attractive vector of attack?
Arbitrary files can be embedded inside a PDF (by design), such as malicious code files. Many PDF readers have security issues allowing for PDFs to automatically allow for code execution of those embedded files, or prompt the user for a click to execute the files.
Just search for something like “executable code inside PDF” and browse through the many results of examples, issues, and tutorials to see.
to add to it, you “can” add anything arbitrary, but it is not same as downloading a executable. Due to some really weird reasons, many parties were interested in using pdfs like interactive forms, for example some government forms, where you can fill a field, and you can add scripting to execute upon input and convey back. It is somewhat like javascript for pdfs, and then the onus is on the pdf readers to be compliant enough to execute such scripts, and provide enough access to your system. Many minimal pdf viewers do not implement these features, or for example pdf viewer in firefox has the option to execute, but disabled by default.
epubs are effectively self contained html files, but the scripting is not there (afaik)
There is scripting on them, and afaik it’s actually javascript. It’s a limited version of it (the actual specification was supposed to allow for data sending and receiving, and complete arbitrary code), but it’s enough to run code. A madlad has ported doom and linux to PDF, and you can fully run them on a compliant enough pdf viewer.
LinuxPDF
DoomPDF
(My bad, I wanted to reply to a higher post, but I’m gonna leave this here cuz federation is sometimes weird with deleted comments)