If the PDF is signed by a certificate the user has manually installed, it can embed what Adobe calls “high privilege” javascript, which includes the ability to launch any URL. That’s an extra step, which would discourage some users, but on the plus side it addresses the “who’s given informed consent?” problem.
Momentarily donning a slightly darker hat: it is also possible for a PDF to launch an arbitrary executable (see pp. 30-34 of Julia Wolf’s OMG WTF PDF, video). AIUI this requires no additional privileges.
...a certificate the user has manually installed …an extra step, which would discourage some users
My estimate for the value of that “some” is 95%+
Not to mention that most of the people who can be easily persuaded to manually install a cert on their PC probably already have a dozen toolbars in their browser… :-D
If the PDF is signed by a certificate the user has manually installed, it can embed what Adobe calls “high privilege” javascript, which includes the ability to launch any URL. That’s an extra step, which would discourage some users, but on the plus side it addresses the “who’s given informed consent?” problem.
Momentarily donning a slightly darker hat: it is also possible for a PDF to launch an arbitrary executable (see pp. 30-34 of Julia Wolf’s OMG WTF PDF, video). AIUI this requires no additional privileges.
My estimate for the value of that “some” is 95%+
Not to mention that most of the people who can be easily persuaded to manually install a cert on their PC probably already have a dozen toolbars in their browser… :-D