I’d love to hear more about why PDFs might be riskier than, say, azw or epub. Is it something inherent in the pdf format, or are pdfs so comparatively common they’re a more attractive vector of attack?
Arbitrary files can be embedded inside a PDF (by design), such as malicious code files. Many PDF readers have security issues allowing for PDFs to automatically allow for code execution of those embedded files, or prompt the user for a click to execute the files.
Just search for something like “executable code inside PDF” and browse through the many results of examples, issues, and tutorials to see.
to add to it, you “can” add anything arbitrary, but it is not same as downloading a executable. Due to some really weird reasons, many parties were interested in using pdfs like interactive forms, for example some government forms, where you can fill a field, and you can add scripting to execute upon input and convey back. It is somewhat like javascript for pdfs, and then the onus is on the pdf readers to be compliant enough to execute such scripts, and provide enough access to your system. Many minimal pdf viewers do not implement these features, or for example pdf viewer in firefox has the option to execute, but disabled by default.
There is scripting on them, and afaik it’s actually javascript. It’s a limited version of it (the actual specification was supposed to allow for data sending and receiving, and complete arbitrary code), but it’s enough to run code. A madlad has ported doom and linux to PDF, and you can fully run them on a compliant enough pdf viewer.
I believe pdfs can load remote images, which pings a server.
There are other reasons, I haven’t got sufficient knowledge.
Some pdf readers will offer a sandboxed mode improving security. I think zathura has this for instance.
I’ve had one children’s book that Gmail flagged as a virus when I tried to send it to my nieces eBook Reader via Mail, so I deleted that and just got another instead. I didn’t bother opening the book because I didn’t not care much so it might just have been a false positive. I don’t remember which format.
It was the only one out of about 200 books that got flagged.
I haven’t seen anything except the safe pdfs, epub etc formats. Similarly to movies there shouldn’t be a risk to downloading malware unless you execute the files (e.g. double click).
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !piracy@lemmy.dbzer0.com
⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.
I’ve never encountered malicious content in book form. Avoid PDFs if you are worried.
I’d love to hear more about why PDFs might be riskier than, say, azw or epub. Is it something inherent in the pdf format, or are pdfs so comparatively common they’re a more attractive vector of attack?
Arbitrary files can be embedded inside a PDF (by design), such as malicious code files. Many PDF readers have security issues allowing for PDFs to automatically allow for code execution of those embedded files, or prompt the user for a click to execute the files.
Just search for something like “executable code inside PDF” and browse through the many results of examples, issues, and tutorials to see.
to add to it, you “can” add anything arbitrary, but it is not same as downloading a executable. Due to some really weird reasons, many parties were interested in using pdfs like interactive forms, for example some government forms, where you can fill a field, and you can add scripting to execute upon input and convey back. It is somewhat like javascript for pdfs, and then the onus is on the pdf readers to be compliant enough to execute such scripts, and provide enough access to your system. Many minimal pdf viewers do not implement these features, or for example pdf viewer in firefox has the option to execute, but disabled by default.
epubs are effectively self contained html files, but the scripting is not there (afaik)
There is scripting on them, and afaik it’s actually javascript. It’s a limited version of it (the actual specification was supposed to allow for data sending and receiving, and complete arbitrary code), but it’s enough to run code. A madlad has ported doom and linux to PDF, and you can fully run them on a compliant enough pdf viewer.
LinuxPDF
DoomPDF
(My bad, I wanted to reply to a higher post, but I’m gonna leave this here cuz federation is sometimes weird with deleted comments)
I believe pdfs can load remote images, which pings a server. There are other reasons, I haven’t got sufficient knowledge. Some pdf readers will offer a sandboxed mode improving security. I think zathura has this for instance.
I’ve never encountered one and I download from there a lot!
I’ve had one children’s book that Gmail flagged as a virus when I tried to send it to my nieces eBook Reader via Mail, so I deleted that and just got another instead. I didn’t bother opening the book because I didn’t not care much so it might just have been a false positive. I don’t remember which format.
It was the only one out of about 200 books that got flagged.
I haven’t seen anything except the safe pdfs, epub etc formats. Similarly to movies there shouldn’t be a risk to downloading malware unless you execute the files (e.g. double click).
Nothing malicious that I know of. 🙃
The emulation community has Redump and No-Intro for verifying the integrity of roms. Maybe we need the same for books?
I think I downloaded a recipe book once that turned out to be a different book about woodworking… But nothing explicitly malicious, no