I mean, sure it'd be totally blackhat to publish a brand new pdf exploit this way, but blackhat as a conference went way beyond those roots a long time ago.
All phishing attacks require you to click on a link embedded in the PDF, right?
On the one hand, you'd think anyone technologically savvy wouldn't do that.
On the other hand, accidentally clicking on links in PDF's is the bane of my existence. I constantly consume academic books and papers as PDF's on my iPad in the built-in Books app, tap somewhere with my Apple Pencil for any number of reasons (to pan, to zoom, to highlight), and bam I'm transported 100's of pages away and with no back button.
If I could ask for any PDF reader feature, it would be to improve link handling. If it's an internal link, for the love of god include a back button. And if it's an external link for a web browser, for the love of god require a confirmation dialog first. I should never be led to a malware URL because of an accidental click.
I mean, multiple jailbreaks merely required you to open the PDF: it isn't just phishing attacks that have made me wary of PDF files. (But we also have seen jailbreaks that rely only on JavaScript that can be run in the browser, so ¯\_(ツ)_/¯).
The most famous exploits in Apple's PDF stack (notably not present in Adobe's renderers) came from bugs in freetype (a software font rendering stack also used by a lot of Linux systems), specifically in the VM (seriously: it is an interpreter for a stack machine) used to run the embedded bytecode truetype fonts use to "hint" their fit to the pixel grid.
Qubes is wonderful. I read HN and surf the web/social in a dvm - disposable vm, so if you are exploited, not only is it contained to the vm, it’s contained to the vm until you close it, at which point all changes are discarded.
(Modulo any Xen exploits that make it through and affect Qubes. no security is perfect.)
My guess is that my brain has subconsciously tuned out engaging pdf content because of how difficult it is to use in-browser... Especially when dealing with text sizes and zooming sigh. It's even worse with pdfs on mobile :(
Also the sudden break from "website" to "pdf" format is often jarring.
Just amusing that after all these decades this is still not a solved problem. Why can’t the browser just translate the PDF into HTML and display it normally in a “virtual” webpage? Make it pdf:// or whatever.
iOS solved this in like version 3 (well more specifically, safari did). For all the bitching HN does about safari at least they managed to get pdf viewing right on mobile.
On android I have to use a firefox fork called iceraven to be able to install pdf.js extension to use mozilla's own pdf.js to load pdf's in my tabs. Afaik, there's no other way to do it.
I thought of making something like this once. Then I started to look into the PDF standards and realized it's one of those things that you're thinking, why has nobody done this? Then you start looking into it and you realize why nobody's done it. The task would be monstrously difficult if you want to cover all the things that can be in a PDF.
PDF is a beast. It's a ridiculous file format. There's a reason why even after all these years, reading PDFs still kinda sucks.
The presentations get published.
Isn't this totally normal?
I mean, sure it'd be totally blackhat to publish a brand new pdf exploit this way, but blackhat as a conference went way beyond those roots a long time ago.