Create an Account
username: password:
 
  MemeStreams Logo

Adobe flaw #$%&s everyone

search

Dolemite
Picture of Dolemite
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Dolemite's topics
Arts
  Movies
  Music
   Blues
   Classical
   Electronic Music
   Indie Rock
   Industrial
   Jazz
   New Age
   Punk
   Vocalist
   World Music
Business
Games
Health and Wellness
Home and Garden
Miscellaneous
Current Events
Recreation
Local Information
Science
Society
Sports
Technology

support us

Get MemeStreams Stuff!


 
Adobe flaw #$%&s everyone
Topic: Technology 1:10 pm EST, Jan  5, 2007

There is a flaw in Abode’s Acrobat reader plugin which allows JavaScript to execute. This flaws means ever website that contains a PDF file has a de facto Cross Site Scripting (XSS) vulnerability. Clicking on a link like http://bank.com/report.pdf#EVILCode will cause JavaScript to execute in the context of bank.com. Regardless of how security bank.com’s website is, attackers can get their own JavaScript to interact with the website, exposing everyone on bank.com to all the traditional dangers of XSS. It is important to note that there is nothing wrong or malicious about the PDF file itself. An attack doesn’t need to upload a malicious file for this to work. The issue is Adobe executes an JavaScript that is contained in the fragment (#) of a hyperlink.

This flaw essentially backdoors every website on the Internet that hosts a PDF. Any website with a PDF can be the target of a hyperlink with a malicious fragment added to it. This flaw is so extremely dangerous because an attacker simply creates a malicious hyperlink to any legitimate PDF on any website and can attack that website.

It gets worse, because there is little a website can do to stop the attack. If a victim clicks on a link like http://bank.com/report.pdf#EVILCode, the #EVILCode fragment is not actually sent to bank.com. Thus bank.com cannot detect if a PDF is being requested to launch an attack, or is being requested for legitimate purposes Short of removing all PDF’s from their site, a company cannot protect itself or it’s users from this technique. This flaw can also be exploited using an HTML iFrame. This means a victim doesn’t have to physically click on a bad link; simply viewing a website could cause a PDF to load and exploit the user.

XSS can be used for various types of attacks, such as phishing, password stealing, self-propagating worms, keystroke logging, and attacking internal corporate networks.

This vulnerability is interesting because it occurs in a browser plugin, making all browser’s that use the plugin vulnerable. It is also interesting because it doesn’t require an attacker to create or upload a malicious file. This attack piggybacks on top of perfectly safe PDFs.

Updated
Effected Browser: (all on Windows)
IE6 + Acrobat Reader 7 + XP SP1
IE6 + Acrobat Reader 4 + XP SP2
(possibly) IE 6 on non-XP platforms
Firefox 2.0.0.1
Firefox 1.5.0.8
Opera 8.5.4 build 770
Opera 9.10.8679

Adobe flaw #$%&s everyone



 
 
Powered By Industrial Memetics
RSS2.0