PDF document security: A look inside Google Chrome PDF viewer

Frequently, SearchMidmarketSecurity.com readers ask: "How do I view PDF documents securely?" With the typical caveats that "securely" is subjective and a new exploit could render this suggestion moot, I'd like to suggest the Google Chrome PDF viewer (a Foxit plug-in). There are two reasons this free secure PDF viewer is more secure than Adobe Reader: rendering and sandboxing.

First, by using a Foxit-based PDF renderer you are less likely to be compromised by a PDF exploit targeting Acrobat's renderer. Of course an attacker could target the Foxit rendering implementation as easily as Adobe's, and we should assume Foxit vulnerabilities exist. However, a reasonable assumption is that an attacker wanting to compromise systems via PDF will target the much more common Adobe Reader PDF viewing platform. When you use an alternate renderer you are less likely to be exploitable.

    Requires Free Membership to View

Secondly, Google Chrome's security model limits the interaction of the rendered webpage content (or the PDF document) with the operating system via a technique known as sandboxing. Chrome is divided into two functionally isolated halves: the rendering engine that processes content and outputs bitmap images and the other half that controls the renderer and interacts with the underlying OS. By isolating rendered components, the Chrome browser reduces the opportunities for an attacker to exploit the operating system running the browser. A document on the Chromium Security Architecture (.pdf) has an interesting overview on the anticipated threats and the design decisions (and tradeoffs) that are behind Chrome's security.

Together these two factors greatly reduce the risk that your system will be compromised via a maliciously created PDF file. If you'd like to verify that Chrome is using the Foxit plug-in rather than, for example, an Acrobat plug-in, you can browse to chrome://plugins/. The following screen shot shows the Google foxit plug-in enabled:

See larger image

Similarly, the next screen show shows the Adobe Acrobat plug-in disabled:

See larger image

Great, you say, Chrome is now configured to view PDFs with a proper plug-in, but how do I make it my default viewer for all PDFs? You'll need to configure Windows to use Chrome as the default viewer for the PDF file type. For anyone who has forgotten how, just right-click on a PDF and select Open With -> Choose Program. Chrome is a little unusual in that you will not find it installed under Program Files. Instead, you'll look in your user profile. Here is an example: "C:\Documents and Settings\your_username\Local Settings\Application Data\Google\Chrome\Application\chrome.exe". If you can't find it you could always look at the startup shortcut that Chrome installed. Now your system will call Chrome to view PDFs by default. You will lose the PDF features that Reader has but, should you need those, you can always manually select Reader.

As always, it's best not to run applications within an administrative context unless required, so it's a good idea to perform daily tasks as a non-administrator.

Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.

Send Tom your security questions.

Join us on LinkedIn.

This was first published in October 2010

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.