PDF.js For Chrome – It Works!

edit: Now available on the Chrome Web Store: (use this! not the one I link later from Opera)

https://chrome.google.com/webstore/detail/pdf-viewer/oemmndcbldboiebfnladdacbdfmadadm?utm_source=chrome-ntp-icon

So Opera recently came out with a PDF.js extension for their latest Blink build of the browser. I kinda thought, hey, Opera and Chrome aren’t all that different anymore… maybe it’ll work? So I downloaded the file from:

https://addons.opera.com/en/extensions/details/pdf-viewer/

And I got a pdf-viewer-0.8.169-1.nex and I changed the file extension to pdf-viewer-0.8.169-1.crx. 

I then launched Chrome with the command flag –easy-off-store-extension-install and opened up chrome://extensions. I dragged the .crx file onto the page, and voila – it installed!

So then I opened up the first PDF I found on Google and…

PDFjschromeSuccess! PDF.js now works in Chrome, with just a little bit of work. The extension almost certainly won’t autoupdate, though perhaps it will. No idea. But there you have it.

One of the benefits of PDF.js is that your entire PDF “program” is implemented in Javascript. Chrome runs Javascript in an incredibly tight sandbox in its renderer, so attacks using PDFs will be restricted to that sandbox.

So there you have it. Chrome now has PDF.js, and it’s available on Firefox and Opera as well. For more on PDF.js in Chrome, see my earlier post.

 

PDF.js And Chrome – A Match Made In Heaven?

PDF.js is a Mozilla project built with the purpose of reducing trusted code by having PDF files handled by the Javascript renderer. This means that instead of having a separate plugin built in C++ there’s just the same old javascript renderer, no need to build on potentially exploitable code.

It’s a great idea and it works on a very simple principal that should always be held true – reduce attack surface where possible.

This isn’t some kinda amazing security thing though. JavaScript renderer exploits happen all the time, in fact that’s probably where they’re most likely to happen. Firefox also doesn’t implement some important mitigation techniques for JIT hardening (things like ASLR/DEP don’t apply here) though that’s more complex and when you look at their architecture it’s difficult to really say how important it is.

As PDF.js is entirely in Javascript it can theoretically run in any browser that supports Javascript, like Chrome.

The renderer is the ‘exposed code’ in this situation and Chrome runs its renderer at Untrusted Integrity. That means it has no file access. So even if a PDF exploits PDF.js in Chrome it’s trapped in the most restricted part of the browser and there’s really nothing it can do – it can’t read or write anywhere so even in-browser attacks are limited.

As it stands PDF.js works in Chrome but there’s no extension/plugin for it yet. Someone get on that – I want.

The Definitive Guide For Securing Firefox

This is part 1 in a series where I’ll be detailing various settings for specific programs and operating systems. I’ll be writing a guide for Chrome, Firefox, Windows Vista/7/8, and Ubuntu 12.04 (maybe other things I can think of.) The guide will cover everything I can think of and will cover both system compromise, in-program compromise, and privacy concerns. I won’t cover all subjects today, probably just Firefox and Chrome.

Firefox

Firefox is the free and open source browser developed by Mozilla. It focuses on user-oriented features like a customizable UI and ensuring user satisfaction through an interactive developer community.

By default without any plugins Firefox is fairly secure in that it makes use of modern mitigation techniques and is quick to patch. This guide will go over some Firefox extensions that you can install as well as  settings that you can change to improve security and privacy.

Privacy Settings

First up we’ll change our privacy settings to include the Do Not Track header, which I recently posted about. We’ll also be disabling third party cookies as these are typically only ever used for tracking users (though they can have legitimate uses, like logging into websites via third party logins).

Firefox -> Edit -> Preferences -> Privacy

It should look like this after you’ve changed the settings:

Image

Security Settings

From the privacy tab you can click the next tab – Security.

Here we can set our master password. This password will encrypt all others so that if anyone gains unauthorized access to your system they will no be able to gain access to your information.

See this guide for creating a strong password.

Content Settings

Firefox lets you allow or deny Javascript throughout the browser in the content settings page. Disabling Javascript will break many sites but it will improve security – I recommend NoScript instead.

NoScript

NoScript is an extension developed by Giorgio Maone. NoScript is a default-deny system that blocks a webpages ability to run scripts or plugins. It also makes use of a strict XSS filter and clickjacking prevention.

By default NoScript blocks the following:

Image

This renders most attempts at exploiting the browser unsuccessful and will protect even whitelisted pages fairly well.

The problem with NoScript is that there is a ton of user interaction required. You have to whitelist every site you want to visit. It’s a pain. But if you’re after high level of security that’s what I recommend. If you globally disallow (default) you’ll benefit even when you whitelist a website.

Even if you hate the interaction I highly recommend you install NoScript and turn on the “Allow Scripts Globally” feature because it will still provide further improved security.

With NoScript ‘Allow Scripts Globally’ you miss out on the full extent of its protection but even then you’ll benefit from a few really great protections such as:

The XSS Filter – NoScript’s XSS is kinda the XSS Filter to compare all other XSS Filters to.

ClearClick – Clickjacking is a method used by attackers to trick a user into clicking a hidden or invisible ‘button’ that can lead to an exploit page or even a bank transaction. ClearClick is the only protection for this currently implemented.

CSRF Protection – CSRF is harder to explain. It attacks from the users end of the system so it can do things like get into your email account and bypass protections because it all originates from ‘you.’

MITM Protection – Man In The Middle attacks happen when, simply, the attacker is between you and the server. SSL is the typical solution but you can spoof certs and hijack even SSL communications or just attack mixed content transmissions. NoScript implements multiple protections here.

So, there you have it. Even with Scripts Globally Allowed NoScript is going to make your Firefox much more secure.

HTTPS-Everywhere

HTTPS-Everywhere is an extension developed by the EFF (Electronic Frontier Foundation) that aims to force HTTPS on all sites that make it available.

Many sites, like wordpress, offer HTTPS but don’t default to it. HTTPS-Everywhere will block and redirect requests so that you end up using the HTTPS version.

HTTPS means that the traffic between you and the server is encrypted. That means that no one besides you and the server gets to read or manipulate the data.

This prevents MITM attacks that can be used to sniff passwords or even compromise the machine by redirecting your request to an exploit page.

Convergence

Convergence is an extension that aims to solve many of the issues we see today with SSL and MITM attacks.

Check out this explanation on it here.

It hasn’t been updated in ages, and I’m not even sure if it’s supported anymore, so take this tip with a grain of salt – results may vary.

AppArmor (Linux Only)

I’ve written a guide for AppArmor already but I’d like to highlight that Ubuntu comes with a Firefox profile by default. It probably needs a bit of tweaking but if you follow the guide it’s easy to set up.

To set your apparmor profile to enforce simply enter:

# aa-enforce /etc/apparmor.d/usr.bin.firefox

Afterwords your Firefox will be held in a tight sandbox, which will prevent and contain exploits.

Use PDF.JS

Adobe Reader is one of the most commonly exploited applications and although it has improved you may want to check out PDF.JS.

You can use this simple extension to install it and Firefox will handle PDF through Javascript.

You can read more about PDF.js here.

PDF.js is arguably less secure than Adobe Reader as Reader will run within a sandbox. The goal of PDF.js is to reduce attack surface by having PDFs rendered by the Javascript engine already present in Firefox.

Remember

Always make sure to keep Firefox and all of its plugins up to date. This is critical on Windows where out of date plugins consistently lead to compromise.

And Please…

Firefox is not my default browser and hasn’t been for over a year now. If you know of any other methods for securing it please leave me a comment and I’ll try to fit it in. Thanks.