This is a good reminder for why to not download random PDFs. One of the mechanisms of the Pegasus spyware was emulating a computer inside a PDF.
https://en.wikipedia.org/wiki/Pegasus_(spyware)#Vulnerabilit...
The vulnerability was in images parsing, and exploit was distributed by sending an imessage to the target. So don't open any images, and don't read imessages. They are also known to use browser exploits, so don't visit random websites.
That was sarcasm, in case it's not clear over the internet. Telling people to avoid "suspicious" pdfs/websites is common but ultimately not very useful advice.
The real takeaway is: don't become a target of a nation state intelligence agency. If you own a phone, they can take over it, and there's nothing you can do.
The Pegasus Project has shown that pretty much anyone could be targeted. It's enough to know someone in a publicly owned company or publicly say something negative about corruption or just be in the wrong place at the wrong time.
Nothing you do will guarantee that the state won't come after you.
If you’re really worried about this and you use an iPhone, then you should be using Lockdown Mode: https://support.apple.com/en-us/105120
A tetris PDF could be in a 1 pixel iframe right on this page and you'd never know it. So it doesn't require any user action to download one.
That's why you run NoScript along side with UBO
I'm pretty sure noscript will break 90% of the webpages I visit. I just rawdog the internet. If Chrome gets 0day'd then a lot of us are going down - at least I'll have company.
> If Chrome gets 0day'd then a lot of us are going down
This PDF still runs with JS disabled in both of those, and in Firefox about:config...