Independently created PDF documents may under certain conditions, provide information, which the author probably did not want to disclose.

Concern

If the Internet Explorer print an HTML page on a virtual PDF printer used to create PDF files, the document will be placed the full path to the directory where you saved the document, such as file://C:\Users\siefca\Downloads\dokument.pdf. This entry can not be excluded, in contrast to the information given in the file header and footer of the document.

A similar problem occurred earlier in the Microsoft Word text editor, who wrote the document, the complete path of the saved file and information about the author. These data can be easily read by the system of the notebook. Newer versions of Word do not already have this problem.

While the reported behavior did not constitute in itself a vulnerability, it may mean trouble for some of the data protection perspective, because in this way, third parties may obtain information about the directory structure on your author. In certain cases, the path may include details of user names, application software or category to which he was assigned to the document.

Discovery of the problem, an expert on security, nicknamed Inferno, points to the fact that even a simple search using Google crawls millions of PDF sets that contain this type of data on the tracks.

Cause of the problem lies in the behavior of Internet Explorer, which is in the title of the document gives the full path and file name. It is not that important for what the content of PDF generator was used to create the file.

In a test carried out was able to reproduce the problem using a combination of IE8 + CutePDF. The same behavior was also Microsoft's browser from handling the set created with Adobe Distiller and tools from other manufacturers.

Cases of arbitrary inclusion of information about the path to a file in PDF documents can also happen when you convert PowerPoint presentations to PDF format. For example, PowerPoint stores information about the path to the image entered as metadata. This can cause unpleasant events, such as when the presentation will be information about another client.

Solution

There is a solution to the problem. Microsoft was informed of the affected. It is supposed to be removed in Internet Explorer 9

This problem does not affect Firefox, which is placed in the title of the document, only the file name.

Workaround

As a workaround troubling behavior suggests Inferno browser manually remove the data path using the appropriate editor. However, this may lead to the PDF file is damaged and can not be displayed.

In the case of PowerPoint may be helpful to exclude the document properties option to show non-printing information.