Clive Robinson September 17, 2021 8:48 AM

@ ALL,

OK, it’s Apple this time but the cause is “PDF”, how many times is it now that PDF files have been the root cause if a vulnerability?

Oh and how many times is it now it’s PDFs and mobile phones… It was only a couple of years back Google had a similar issue with PDFs and their MMS…

For those with longer memories PDFs were involved in various vulnerabilities so frequently some admins just stopped them as attachments.

Maybe it’s time that PDF’s did the same as Flash and quietly disappear into the past.

Loganrune September 17, 2021 9:05 AM

so for us dummies, is this Zero-Click threat a problem if i do NOT use iMessage at all on my iPhone ?

Can i disable iMessage on my iPhone and totally avoid this problem ?

Is this vulnerability unique to iMessage (?) — or likely to eventually show up in other messaging applications ?

TimH September 17, 2021 9:27 AM

What we need is a setting such that text message services can be configure to ignore all but text. No embedded anything, no formatting.

Similar to disabling scripting and remote content for html emails.

Clive Robinson September 17, 2021 9:29 AM

@ Loganrune,

… or likely to eventually show up in other messaging applications ?

This specific vulnerability might not, but with PDF’s being the cause, I would expect atleast one more exploit probably two before the end of the year.

After all this was only a little while back,

But it’s not just PDF viewers… They have a habit of calling other things like javascript engines…

Chris Woods September 17, 2021 12:13 PM

Why are we limiting the discussion to “messaging apps”? This is an image processing exploit. Apple Messages is just a tool to target specific individuals, but this exploit could be used to harvest data in a variety of ways. For example, couldn’t a nefarious actor upload an image to an ad network and get data from any phone that loads the image.

lurker September 17, 2021 1:29 PM

This one is not just PDF, it seems PSD can be used as well. Notice that they were both born in the same house…

I’m with @TimH here, what is all that imaging junk doing in a “text” message? Used to be you had TXT messages, and PXT messages. But users couldn’t handle the unix paradigm of a tool for each job. So once again convenience trumps security. Result: bloatware messaging apps that trip over their own bootlaces.

SpaceLifeForm September 17, 2021 3:06 PM

@ Chris Woods

Good point. Malicious ads have existed for over 20 years now. And, look at how much information a web tracking pixel can leak.

Clive Robinson September 17, 2021 7:22 PM

@ lurker,

Used to be you had TXT messages…

In 7bit ASCII only.

Believe it or not that was the only official “standard” (IETF RFC) back in middle of the 1990’s, and some manufacturers stuck to it like glue, so they could charge big fees for upgrading…

I was called upon to defend a mail system administrator in a university who was tasked with providing “standards compliant service” (that was actually in the written job requirment). On an email system centered on a VMS system that was “7 bit ASCII” at the time[1].

A member of the “maths” facaulty complained that some one could not send 8bit mail to them which is fair enough, most data files at the time were 8bit. Such complaints are when you think about it expected, it is after all part of the “change process” that moves things forwards.

However some idiot of a manager decided it was cause for major disiplinary proceadings against the Sys Admin… Simply because the manager was one of those weak individuals who would neither say “no” to people who no should be said to, and would not support the staff they were responsible for. They also took a very dangerous almost religious “Paternalistic” view point, that for obvious reasons got twarted, so they took out their resulting frustrations on those they managed in petty ways…

It did not end well, even the user who wanted 8bit email was shocked by what occured… As he said at the tribunal, he was not complaining against the person I was defending, but about the way things were being done or rather not being done by ICT managment[1].

As we started proving “no wrong” had been committed by the person I was defending, the University Human Resources Dept decided to move the goal posts to protect the manager. Who was visibly not at all happy about how I had cross examined him and made him look a fool with his own paperwork. The person I defended was not “cleared” even though it had been clearly shown they had done no wrong, which they should have been, but was,told they had to attend “staff training in customer communications” and as we later found out a reprimand was placed on their personnel file…

Needless to say the union wrote a letter to the Uni Chancellor expressing “no confidence” in the manager or human resources dept. Which started a battle that eventually went to an actual court case and the “sudden and unexpected” early retirment of the manager, where finally the person I was defending got their name cleared, even though they nolonger worked at the University…

It was not long after that, that the University got raided by the UK security forces of MI5 and what Special Branch had become, on behalf of MI6… Yes it sounds mad but,

If you look up “the person of interest” in the story on Wikipedia you will find your eye brows raising so far the back of your neck will start to itch 😉

[1] For reasons of “legacy” the University mail system used a VMS system with it’s 7bit issue as the public facing “gateway node”. All the other facaulty mail systems that all but one or two were 8bit capable were on Novell based servers fed from that 7-Bit VMS node. Repeated plans to get rid of the VMS 7bit node had been presented to “managment” who had rejected it for supposadly “budget reasons”.

SpaceLifeForm September 17, 2021 11:41 PM

@ Clive

Seems like the 7-bit email system may have been a feature, not a bug.

Maybe that was really irrelevant. I’ll wait for Godot.

echo September 18, 2021 3:30 AM


I got the computing director of a major UK university into very hot water. The short version of the story is they were a weak manager who did not implement sound procurement policies due to office politics or what he called in his own words a “can of worms”. In my estimation this was costing the university approximately £2.5 million p.a. and this was the number the press got wind of and reported. He was suspended and I assume fired or took early retirement. I had already lost interest in him and his fate by then. The damage as they say was already done. I cannot see how his career would have recovered after this.

When it comes to matters of public interest I am scrupulous. I raised my concerns with him personally and with others of influence on public interest grounds. The fact I was diddled out of a job by one of his senior technical people to the point that another person in management was surprised by has nothing to do with this. As a job was adtertised not long afterwards I’m wondering what was going on there. Perhaps he punked me so he could get one of his mates a job. This kind of thing does happen and I found out from one person I met who did get one job I applied for the decision had unlawfully been made before the job was advertised. This was actually in the newspapers too but the journalist fogged it by focusing on the general problem and I’m disappointed it didn’t cause a bigger scandal because it really was appalling. A friend who I helped get a consultancy job for was incidentally elbowed out of the way when the director of the organisation was being flattered by a new media manager who wanted to get one of her friends the job my friend already had. The media manager got her way and the outcome was a predictable disaster as her friend wasn’t up to the job.

As for the seperate issue of the complete mess of cabling in their server room nobody would touch I would like to think this has been sorted out by now. If it hasn’t a pair of snippers might force someone’s hand and speed things up. It’s been done before and not by me I might add just in case anyone wants to kick my door in for one of the London telecoms pinch points going offline in reaction to the management in one major comms company playing office politics.

Interestingly the director of one company I gave advice to on tax issues later followed this advice. The problem is he took it too far and it tipped from a clever wheeze to unlock capital for investment into tax fraud so he wound up in the newspapers for the wrong reasons too.

I really must count the number of stories I’ve had a behind the scenes view of. It’s getting uncomfortably long. Once is happenstance, twice is coincidence, three times is enemy action wot wot.

I was chatting with a crimiologist this week about a few concerns of mutual interest. That’s a story for another day.

tfb September 19, 2021 4:41 AM


Suggesting that the problem is PDF and that we need a better replacement sounds like a good idea … until you realise what would be involved. PDF sits at the heart of every process which produces technical text which might end up on paper, almost any text which has significant mathematical content, and probably close to the heart of any process which produces any text which might end up on paper: I would expect that PDF files are somewhere in the toolchain for almost any paper book. Approximately all mathematical scientists use TeX and probably the vast majority of them are now using a PDF-producing TeX like pdfTeX or something similar. And this is a huge boon, especially if you have diagrams &c: I can remember DVI-based TeX and the endless nightmare of having to know which DVI-to-PS converter you were going to use.

Any suggested replacement for PDF would need to be able to render (after conversion, perhaps) all the existing PDF files which are the last 30 years or so of scientific papers, and all the PDF files from which books have been printed over the same period, all the standards documents for which the PDF file is the normative version and so on. And it needs to do this in an essentially bit-reproducible way. (You think scientists and authors do careful version-control of their papers including the toolchain that turned them into PDF? Yeah, right.)

And some hypothetical PDF replacement needs to be able to do a very large fraction of what PDF can do, because people need a lot of that stuff. I don’t know much about its outer reaches but I’m willing to bet that many of them have good uses.

So any PDF replacement is necessarily going to be a rich, complex specification for which which people are going to have to write interpreters, and which will also need to be targeted by PDF converters. Well, it turns out we have a rich, complex, open specification which people write interpreters for. That specification is here: its name is … PDF.

So this, in fact, tells you what the real problems are here.

Firstly there are parts of the PDF specification which are, still, proprietary and hence not really specified. Those need to be either excised, or standardised so they can be open to scrutiny. In most cases they’re already effectively excised since only Adobe’s PDF system implements them.

Secondly there are parts of the specification which just need not to be there. One notable one is that you can embed javaScript in it, which is about as sensible as embedding JavaScript in, say, a process which controls privileged access to Linux … oh, wait, sorry, no, as sensible as something else, because that’s obviously a sensible thing. And I think how this JS embedding happens is alsoone of the proprietary parts of the spec, which makes it doubly mad. The rest of the spec probably also needs to be gone over to look for things which are inherently dangerous.

Probably the end result of dealing with these two issues is that there should be a way of saying what ‘standard, (hopefully) safe’ bit of PDF is and some standard way of a bit of PDF saying it needs extensions. Perhaps that already exists: I don’t know.

So the improved, safer, more standard, replacement for PDF is, of course, going to be PDF.

But, thirdly, there’s the big problem. PDF – and any future PDF or replacement for it – is not some proprietary blob of code written by Adobe, or anyone else: it’s a standard format which many people write blobs of code to interpret. The thing that renders PDF files in Firefox probably has no code in common with Acrobat, and Acrobat probably has no code in common with whatever native PDF renderer exists on iOS, and that in turn probably has no code in common with whatever renders them in GoodReader or … pick any number of PDF renderers. And all of those blobs of code have to interpret a necessarily complex specification. And humans do not have a history of doing that either safely or correctly. And a new specification is not going to change that.

That’s the real problem here.

Notes. There’s no excuse for the ISO standard not being freely available, but that’s a different fight. I’m also not saying that it does not need attention: it probably does, it’s just that the approach is not to do a clean-slate specification.

Who? September 20, 2021 1:36 PM


Perhaps we need just a simple, lightweight, PDF viewer. The PDF viewer we are using here is mupdf; OpenBSD has two flavours of mupdf, the first one (“mupdf”) is just a PDF viewer, while the second one (“mupdf-js”) supports JavaScript.

Never used a document that requires features like JavaScript/ECMAscript, OpenGL, annotation, and so on. Most features are not really useful (encryption is weak, print permission can be easily bypassed). Perhaps hyperlinks (in the sense the ones provided by the Hyperref LaTeX package), but nothing more.

PDF is not so bad, but we need to simplify it focusing on a subset of really useful features. Simplifying is not so bad, we have seen it on HTML 5, when compared with HTML 2 up to 4, Python, and so on. Even Java has suffered a lot of simplifications (but in this case with a high price to some of the Java-based tools, that only worked on some versions of the Java virtual machines). At some point developers need to look at their own work and fix (“simplify”) it. PDF has been a nice playground for new technologies, but it is time to write readers that agree on a subset of really useful, and secure, features.

Ah, indeed, we suffered the nightmare of converting DVI to PostScript/PCL too. We ended writing a filter for our printers, a simple filter that took advantage of LaTeX and GhostScript to provide a reasonable PostScript or PCL 5 output and send it to our printers. By the way, that filter was a shell script named “laden” (as our other homegrown executables, it was stored on our local “~bin” directories… an internal joke).

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.