[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

From: "White, Dain P" <dainw@xxxxxxx>
Subject: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Date: Thu, 4 Jan 2007 16:30:19 -0800

Ironically, this was exactly the same thing I was just trying to test!
It doesn't seem to change the way Firefox handles the file, and while I
can't test for IE6 here, Mark Andrews was kind enough to assist, and he
confirms that this does in fact closes the hole for IE6:

1. Close your web browser. 
2. Start Acrobat or Adobe Reader. 
3. Choose Edit > Preferences. 
4. Select Internet in the list on the left. 
5. Deselect Display PDF in Browser, and click OK. 
6. Restart Internet Explorer 

... Unfortunately, I just worked through the ActiveX update that was
released: http://www.adobe.com/support/security/bulletins/apsb06-20.html

...and it doesn't appear to mitigate the threat for firefox (2.0.0.1) at
all.

~Dain

-----Original Message-----
From: RSnake [mailto:rsnake@xxxxxxxxxxxx] 
Sent: Thursday, January 04, 2007 4:17 PM
To: White, Dain P
Cc: websecurity@xxxxxxxxxxxxx
Subject: RE: [WEB SECURITY] Universal XSS with PDF files: highly
dangerous

This was originally posted in the Opera forums, but if you cannot
upgrade for some reason this is definitely a way to stop this vector:

Open Adobe Reader and bring up the preferences dialog.
Select the 'Internet' category.
You should see an option along the lines of 'Display PDF in browser',
disable that.
OK out of the dialog, close Adobe Reader, and restart Opera. The plugin
should no longer appear on opera:plugins

Try that and let me know if you have any problems.

On Thu, 4 Jan 2007, White, Dain P wrote:

> There's some very incredible work being done here, some of the 
> javascript masters on this list downright scare the bejabbers outta
me.
> I can actually hear the sky falling, thanks! :|
>
> Does anyone have any advice on a workaround for IE6 that approximates 
> the firefox / opera workaround of defaulting to save the pdf file 
> rather than open? If I missed the tip in the deluge of messages, I 
> apologize in advance...
>
> ~Dain
>
> ----------------------------------------------------------------------
> ------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

-R

----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Prev by Date: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Previous by thread: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by thread: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site