20Oca
When receiving PDFs from unknown sources, is it sufficient to remove dynamic content to minimise attack surface?
My company allows customers to upload PDFs, JPEGs and PNGs to our servers, which are then viewed by clients. We want to minimise the potential for attack on the clients. While the image formats are generally pretty safe, PDFs introduce multiple attack vectors. My understanding is that these attacks almost always exploit dynamic content like JS or Flash to embed or download a payload. If we reduce the PDFs to just typeset documents, how significant is the risk? Are there any known exploits that would succeed if all dynamic content was stripped?
