PDF Security Rendering with Adobe Flash
Security & the dangers of rendering PDFs to flash
The dangers of using a Flash PDF Viewer to deliver PDF DRM Security
When trying to deliver secure PDF documents to the screen, many different approaches are taken. The problem to be solved is easily specified – to prevent, as much as possible, the theft of the information being shown on the screen, while retaining as much PDF functionality as possible (indexes, internal and external links, searching, presentation and so on) – solving the problem is not.
One technique suppliers use is to convert a PDF document into Flash pages, and send those to the client through the browser. The apparently good news is they ‘only’ have to install Flash on the desktop, and they can ‘log in’ with an id/password scheme to get hold of the document, and there is no download.
The bad news gets worse. Unfortunately the native Flash viewer has not proved to be secure. The problems are not new, and Flash users should by now have got used to doing updates consistently (except for the period of time when Adobe code-signing keys were compromised). But the fact remains that browser plug-ins and mobile apps can open systems to a wide range of vulnerabilities starting off with remote code execution and moving on to windows stored passwords thefts. For those not of a nervous disposition, see the current known Adobe Flash Player vulnerability list.
So although it seems to be a simple implementation, using Flash on its own only creates security problems, and leads to a low functionality result. Trying to improve the functionality makes the security even worse. More of a lose/lose situation.