Not sure if this post isn’t a ~comp topic in disguise, but I’ll leave a comment that certainly is: Given there have already been numerous exploits using PDF’s scripting (example*), one has to...
Not sure if this post isn’t a ~comp topic in disguise, but I’ll leave a comment that certainly is:
Given there have already been numerous exploits using PDF’s scripting (example*), one has to wonder when the point is reached where fully arbitrary execution possibilities in a PDF will be stopped/made unsupported.
I suspect it is currently not a big issue yet simply because many vendors’ default PDF viewers are just that – fairly dumb viewers. Some don’t even support all of the actually useful features! Let alone the, ahem, less commonly needed ones like CAD work as a file within a PDF (yes, an actual part/extension of the standard, known as PDF/E.)
Another “issue”/example for my case which I happen to know: Apple’s platforms, by default (e.g. for the print to PDF features) produce some ancient PDF version, I believe something like 1.3 from the early 2000s (most current alternative would be a revision to 2.0 from 2020 IIRC). And why would they need to support anything higher in default PDF creation? 3D annotations? Sound?Video? The old versions of the standard are a perfectly fine format for just displaying static content in a portable manner. (In fact, 1.3’s the basis for the first version of the PDF/A archival standard, if I’m not mistaken.)
So, I’d claim that both low use on the producer side(s) and low usability/availability on a lot of the consumer/user side for some of the most advanced PDF features are the reason this hasn’t caused more mainstream concern so far in terms of exploits. I guess we’ll have to see what happens once these features (if ever) see an uptake/widespread usage. Maybe you won’t be able to open arbitrary email attachments anymore without consideration, after all… or maybe it’ll be like tracking pixels in today’s email: annoying, potentially harmful, but realistically not a security issue except for privacy.
*Correction: I read the Project Zero explanation post again, and the described exploit, as far as I understand it, actually in fact wasn’t an issue with JS availability in PDF, at least not directly.
My current company is very PDF heavy, and as far as I know, we're very aware of it, and have blocked off code execution from that side for a while now. If that helps ease your mind a bit lol.
My current company is very PDF heavy, and as far as I know, we're very aware of it, and have blocked off code execution from that side for a while now. If that helps ease your mind a bit lol.
I feel like PDFs are being phased out. Most people don't want to pay for Adobe and without Acrobat it is so much harder to do anything with a PDF. It used to be so easy until Adobe enshittified...
I feel like PDFs are being phased out. Most people don't want to pay for Adobe and without Acrobat it is so much harder to do anything with a PDF.
It used to be so easy until Adobe enshittified PDFs/Acrobat.
In the workplace, I see people using PDFs very rarely anymore.
I was even told recently that I shouldn't be submitting my Resume in PDF form and should be using Word file format. That seems insane to me.
But yeah the enshittification seems to be killing PDFs
It’s everywhere. PDF is the document archival format. It’s also used extensively in publishing because every piece of software knows what to do with it, more or less. That being said, a lot of...
It’s everywhere. PDF is the document archival format. It’s also used extensively in publishing because every piece of software knows what to do with it, more or less.
That being said, a lot of companies do not support PDF in the way that Adobe wants them to. PDF has a lot of frankly stupid shit in it. There’s great things like form support, but there’s also brain dead things in it - did you know that Acrobat has its own MTA in it to send emails? If you wonder why there were so many PDF vulnerabilities, it’s because Adobe has essentially always been stupid about everything they do.
There is a simplified version of the standard which is open and called PDF/A, which is just enough for most documents. Specifying an export of PDF/A will ensure that it will open in just about everything.
They're the number one company I'd like to see burn to the ground after the shit they've put us all through over the last decade. The market is cornered, their subscription options are very...
They're the number one company I'd like to see burn to the ground after the shit they've put us all through over the last decade.
The market is cornered, their subscription options are very limited and it's far too expensive to justify as a hobbyist.
Agreed, you’re correct. There’s even PDF sub-standards specifically for publishing. (and a bunch of other things as well, of course, for example one for accessibility!) Two things I would like to...
It’s everywhere. PDF is the document archival format. It’s also used extensively in publishing because every piece of software knows what to do with it, more or less.
Agreed, you’re correct. There’s even PDF sub-standards specifically for publishing. (and a bunch of other things as well, of course, for example one for accessibility!)
There is a simplified version of the standard which is open and called PDF/A, which is just enough for most documents. Specifying an export of PDF/A will ensure that it will open in just about everything.
Two things I would like to chime in with here:
Depending on the fonts you use, a PDF/A file might drastically increase in size – by chance, I just recently happened to try it (using this GPT-generated ghostscript command as a basis), the file with a couple of pages of text went from a few hundred kB to 6 megabytes.
The full standards themselves have been made much more accessible in the recent past. Here’s a post by the industry group PDF association: link with free download
The individual institutions may, and the big ones do, but they expect everyone else to use it regardless. Even worse is that most don't know how best to use it. I see so many PDFs of images of...
The individual institutions may, and the big ones do, but they expect everyone else to use it regardless. Even worse is that most don't know how best to use it. I see so many PDFs of images of OCR-able text per day, that I can only laugh to stave off the despair. :)
Not to mention all the "digitally signed" documents that just include an inserted image of a signature. Or those forms sent with the requirement that we print, sign, scan, and return. Bonkers. I need to do a breathing exercise right now.
Recruiters / headhunters / staffing agencies want your resume in Word because they want to be able to easily edit it themselves, for better or for worse. Some people refuse to send a Word doc for...
Recruiters / headhunters / staffing agencies want your resume in Word because they want to be able to easily edit it themselves, for better or for worse. Some people refuse to send a Word doc for exactly the same reason - they don’t want unapproved edits.
Yeah this is why I will never do that. I don't know why they would want to edit my resume for any reason, but I don't want anyone to have that option. You give a PDF because it's a completed...
Yeah this is why I will never do that. I don't know why they would want to edit my resume for any reason, but I don't want anyone to have that option. You give a PDF because it's a completed document. Makes no sense to send an editable document
This is especially laughable as PDFs are trivially editable. (Admittedly, trivial means paying Adobe anywhere from $20 or $30 for an Acrobat Standard "license"/subscription, but for someone in...
This is especially laughable as PDFs are trivially editable. (Admittedly, trivial means paying Adobe anywhere from $20 or $30 for an Acrobat Standard "license"/subscription, but for someone in recruiting that’s a business expense.)
I'm not in HR, but I can think of a few. Formatting. They may use an internal tool that archives resumes by parsing certain parts and some layout changes may be needed to make some compatible....
I'm not in HR, but I can think of a few.
Formatting. They may use an internal tool that archives resumes by parsing certain parts and some layout changes may be needed to make some compatible.
Inline notes. Maybe their process involves multiple layers of screening and they just don't want to generate a ton of extra documents. If I was a small business where hiring was just me I could see wanting to just take notes in the same document I'm already looking at.
Stripping bias information. This seems the strongest to me. I recall seeing an article about someone that submitted the same resumes with "black sounding" and "white sounding" names and bias being found. So I could definitely understand a company policy that involves that kind of info being stripped prior to reaching anyone that would be involved in making the decision.
I don’t really think it’s possible for PDFs to be phased out at minimum until a viable replacement exists, and not only exists in theory, but is able to be worked with – natively (!) – on a...
I don’t really think it’s possible for PDFs to be phased out at minimum until a viable replacement exists, and not only exists in theory, but is able to be worked with – natively (!) – on a majority of devices out there, that is, at the very least opening in a visually faithful representation mode, if not more (adding images/inserting pages/signing etc.)
I was even told recently that I shouldn't be submitting my Resume in PDF form and should be using Word file format. That seems insane to me.
Because it is. Thanks for the new nightmare shudders
Yeah I was like wtf are you smoking? They also complained about my ~260 KB file being too large.... Seriously? It's a one page resume in PDF form. In word it's like 40 KB sure, but that's still...
Yeah I was like wtf are you smoking?
They also complained about my ~260 KB file being too large.... Seriously? It's a one page resume in PDF form. In word it's like 40 KB sure, but that's still nothing. And I hate that this seems to be something they track.
Are ATSs throwing out PDFs and larger files for basically no reason??? That seems to be what was implied. And would explain why I haven't been able to get an interview in over a year
I would think (hope) that’s not the actual reason or issue here. I could see a limit of maybe 5-10 MB if they’re being intentionally conservative (or would like to prevent folks from attaching a...
I would think (hope) that’s not the actual reason or issue here. I could see a limit of maybe 5-10 MB if they’re being intentionally conservative (or would like to prevent folks from attaching a 4k resume portrait shot into their files…). And then anything less than a megabyte in a limit nowadays is ridiculous.
This is not a charitable take from me at all, but I can’t help but wonder if it’s just the number and not the actual size... like would they complain at your 600kb file but shrug past a 12mb file...
This is not a charitable take from me at all, but I can’t help but wonder if it’s just the number and not the actual size... like would they complain at your 600kb file but shrug past a 12mb file because 12 is small and 600 is big?
I don't want or need PDFs to be phased out, just stripped down of its bloat down to basics with the original goal of being good at preserving document layout and presentation across systems. I...
I don't want or need PDFs to be phased out, just stripped down of its bloat down to basics with the original goal of being good at preserving document layout and presentation across systems. I wouldn't mind a combination of PDF/A and form support becoming the standard instead of Adobe's arbitrary code execution as a feature.
I hate that a program that either requires $200 up front (for the already-out-of-date perpetual licence version) or yet another bullshit subscription is the de-facto default recommendation. I’ve...
I was even told recently that I shouldn't be submitting my Resume in PDF form and should be using Word file format. That seems insane to me.
I hate that a program that either requires $200 up front (for the already-out-of-date perpetual licence version) or yet another bullshit subscription is the de-facto default recommendation. I’ve been trying to push back against it at my workplace, but it’s so entrenched and yeah the PDF format is not as convincingly the better option these days.
Not sure if this post isn’t a ~comp topic in disguise, but I’ll leave a comment that certainly is:
Given there have already been numerous exploits using PDF’s scripting (example*), one has to wonder when the point is reached where fully arbitrary execution possibilities in a PDF will be stopped/made unsupported.
I suspect it is currently not a big issue yet simply because many vendors’ default PDF viewers are just that – fairly dumb viewers. Some don’t even support all of the actually useful features! Let alone the, ahem, less commonly needed ones like CAD work as a file within a PDF (yes, an actual part/extension of the standard, known as PDF/E.)
Another “issue”/example for my case which I happen to know: Apple’s platforms, by default (e.g. for the print to PDF features) produce some ancient PDF version, I believe something like 1.3 from the early 2000s (most current alternative would be a revision to 2.0 from 2020 IIRC). And why would they need to support anything higher in default PDF creation? 3D annotations? Sound?Video? The old versions of the standard are a perfectly fine format for just displaying static content in a portable manner. (In fact, 1.3’s the basis for the first version of the PDF/A archival standard, if I’m not mistaken.)
So, I’d claim that both low use on the producer side(s) and low usability/availability on a lot of the consumer/user side for some of the most advanced PDF features are the reason this hasn’t caused more mainstream concern so far in terms of exploits. I guess we’ll have to see what happens once these features (if ever) see an uptake/widespread usage. Maybe you won’t be able to open arbitrary email attachments anymore without consideration, after all… or maybe it’ll be like tracking pixels in today’s email: annoying, potentially harmful, but realistically not a security issue except for privacy.
*Correction: I read the Project Zero explanation post again, and the described exploit, as far as I understand it, actually in fact wasn’t an issue with JS availability in PDF, at least not directly.
My current company is very PDF heavy, and as far as I know, we're very aware of it, and have blocked off code execution from that side for a while now. If that helps ease your mind a bit lol.
I feel like PDFs are being phased out. Most people don't want to pay for Adobe and without Acrobat it is so much harder to do anything with a PDF.
It used to be so easy until Adobe enshittified PDFs/Acrobat.
In the workplace, I see people using PDFs very rarely anymore.
I was even told recently that I shouldn't be submitting my Resume in PDF form and should be using Word file format. That seems insane to me.
But yeah the enshittification seems to be killing PDFs
I think that may be field- or site -specific. In academia and healthcare, it's just PDFs all over the damned place.
It’s everywhere. PDF is the document archival format. It’s also used extensively in publishing because every piece of software knows what to do with it, more or less.
That being said, a lot of companies do not support PDF in the way that Adobe wants them to. PDF has a lot of frankly stupid shit in it. There’s great things like form support, but there’s also brain dead things in it - did you know that Acrobat has its own MTA in it to send emails? If you wonder why there were so many PDF vulnerabilities, it’s because Adobe has essentially always been stupid about everything they do.
There is a simplified version of the standard which is open and called PDF/A, which is just enough for most documents. Specifying an export of PDF/A will ensure that it will open in just about everything.
They're the number one company I'd like to see burn to the ground after the shit they've put us all through over the last decade.
The market is cornered, their subscription options are very limited and it's far too expensive to justify as a hobbyist.
Great tip about PDF/A.
Re Adobe and the PDF nightmare, I wonder whether the PSD format is similarly junky.
Agreed, you’re correct. There’s even PDF sub-standards specifically for publishing. (and a bunch of other things as well, of course, for example one for accessibility!)
Two things I would like to chime in with here:
Do academia and healthcare pay for Adobe?
The individual institutions may, and the big ones do, but they expect everyone else to use it regardless. Even worse is that most don't know how best to use it. I see so many PDFs of images of OCR-able text per day, that I can only laugh to stave off the despair. :)
Not to mention all the "digitally signed" documents that just include an inserted image of a signature. Or those forms sent with the requirement that we print, sign, scan, and return. Bonkers. I need to do a breathing exercise right now.
On the student affairs side of the house, but yes, students, faculty and staff all have Creative Cloud access.
Recruiters / headhunters / staffing agencies want your resume in Word because they want to be able to easily edit it themselves, for better or for worse. Some people refuse to send a Word doc for exactly the same reason - they don’t want unapproved edits.
Yeah this is why I will never do that. I don't know why they would want to edit my resume for any reason, but I don't want anyone to have that option. You give a PDF because it's a completed document. Makes no sense to send an editable document
This is especially laughable as PDFs are trivially editable. (Admittedly, trivial means paying Adobe anywhere from $20 or $30 for an Acrobat Standard "license"/subscription, but for someone in recruiting that’s a business expense.)
This is terrifying.
Do you know why recruiters would even want to edit a resume?
I'm not in HR, but I can think of a few.
I don’t really think it’s possible for PDFs to be phased out at minimum until a viable replacement exists, and not only exists in theory, but is able to be worked with – natively (!) – on a majority of devices out there, that is, at the very least opening in a visually faithful representation mode, if not more (adding images/inserting pages/signing etc.)
Because it is. Thanks for the new nightmare shudders
Yeah I was like wtf are you smoking?
They also complained about my ~260 KB file being too large.... Seriously? It's a one page resume in PDF form. In word it's like 40 KB sure, but that's still nothing. And I hate that this seems to be something they track.
Are ATSs throwing out PDFs and larger files for basically no reason??? That seems to be what was implied. And would explain why I haven't been able to get an interview in over a year
I would think (hope) that’s not the actual reason or issue here. I could see a limit of maybe 5-10 MB if they’re being intentionally conservative (or would like to prevent folks from attaching a 4k resume portrait shot into their files…). And then anything less than a megabyte in a limit nowadays is ridiculous.
This is not a charitable take from me at all, but I can’t help but wonder if it’s just the number and not the actual size... like would they complain at your 600kb file but shrug past a 12mb file because 12 is small and 600 is big?
I don't want or need PDFs to be phased out, just stripped down of its bloat down to basics with the original goal of being good at preserving document layout and presentation across systems. I wouldn't mind a combination of PDF/A and form support becoming the standard instead of Adobe's arbitrary code execution as a feature.
I hate that a program that either requires $200 up front (for the already-out-of-date perpetual licence version) or yet another bullshit subscription is the de-facto default recommendation. I’ve been trying to push back against it at my workplace, but it’s so entrenched and yeah the PDF format is not as convincingly the better option these days.