What's newsworthy about this? It seems like this is a bug in Chrome 56, the current beta version (not stable), in a non-default configuration (the built-in PDF plugin disabled), and the Chrome team is treating it as a bug because it's been assigned to someone to work on. What am I missing?
Maybe i'm not following but if you disable the plugin, and tell it not not automatically open the pdf it still just opens it in the native reader. Any exploits in the document will run.
Assuming i am not misunderstanding the issue that's a pretty big deal.
Not nearly as bad as last year's bug where Chrome would randomly and silently drop characters from a printed document. That lasted for almost a month [0].
Truth be told, I actually prefer PDFs opening in browser compared to downloading the file, opening the file, reading it, and then having to delete file (unless I actually want to save it.) If it's a file I want to keep, I right click and save or save the already open PDF. Most of the time I'm just looking for information in a datasheet and don't want to actually download the PDF.
This bug only applies to people who have disabled Chrome's built-in PDF reader, if I'm reading it right. (And pdfium is probably the world's best in-browser PDF reader; it works reliably, it's well-sandboxed, and it's free software despite being based on the proprietary/commercial Foxit codebase.)
17 comments
[ 3.0 ms ] story [ 28.4 ms ] threadAssuming i am not misunderstanding the issue that's a pretty big deal.
[0] https://bugs.chromium.org/p/chromium/issues/detail?id=658606
With the state of PDF security this could a one-click pwn.