Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

["Neil Smithline" <webappsecurity.org@xxxxxxxxxxxxx>]

------=_Part_25316_30516078.1168060817164
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

As an alternative to upgrading to Adobe Reader, I think dumping Adobe Reader
is another way to go. Besides it being slow to start, a resource hog,
unwieldy, and, IMO, providing a terrible browser integration (without any
foresight into this vulnerability, I just blogged about getting rid of Adobe
Reader at
http://www.smithline.net/mygeekdom/2006/12/adobe-reader-dead-or-at-least-twitching.html).


When I tried some of the tests URLs for this vulnerability with Foxit, it
came back with an error saying it didn't support JavaScript. Not that Foxit
is necessarily a more secure PDF reader (although it is much smaller and
simpler so it is likely more secure), it is that Foxit is a smaller target.

OK, I suspect I won't convince too many people to remove Adobe Reader but,
the general problem here is that a single piece of software becomes
ubiquitous and then becomes an attractive target for exploitation. Besides
good secure coding practices, keeping multiple options for software reduces
the chances of mass vulnerabilities. The payoff just isn't great enough. And
when you start talking about exploits that use viral propagation techniques,
reducing the number of vulnerable clients starts to payoff exponentially.

- Neil

PS: No, I don't work for Foxit - just a fan :-)

On 1/5/07, Amit Klein <aksecurity@gmail.com> wrote:
>
>
> The point is - someone with shared IP is vulnerable ONLY to an attacker
> with the same IP. Which makes attacks much less generic and much more
> painful. Rock solid it ain't, but I think it's a pretty good band-aid
> until all (hmmm...) clients upgrade to Acrobat Reader 8.0.
>
> -Amit
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>


-- 
<a href="http://www.imwrapper.com/"; title="yahoo online status"><img src="
http://www.imwrapper.com/yahoo/smithln/standard"; alt="yahoo status"
title="yahoo online indicator" border="0" /></a>

------=_Part_25316_30516078.1168060817164
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

As an alternative to upgrading to Adobe Reader, I think dumping Adobe Reader is another way to go. Besides it being slow to start, a resource hog, unwieldy, and, IMO, providing a terrible browser integration (without any foresight into this vulnerability, I just blogged about getting rid of Adobe Reader at 
<a href="http://www.smithline.net/mygeekdom/2006/12/adobe-reader-dead-or-at-least-twitching.html";>http://www.smithline.net/mygeekdom/2006/12/adobe-reader-dead-or-at-least-twitching.html</a>). <br><br>When I tried some of the tests URLs for this vulnerability with Foxit, it came back with an error saying it didn&#39;t support JavaScript. Not that Foxit is necessarily a more secure PDF reader (although it is much smaller and simpler so it is likely more secure), it is that Foxit is a smaller target.
<br><br>OK, I suspect I won&#39;t convince too many people to remove Adobe Reader but, the general problem here is that a single piece of software becomes ubiquitous and then becomes an attractive target for exploitation. Besides good secure coding practices, keeping multiple options for software reduces the chances of mass vulnerabilities. The payoff just isn&#39;t great enough. And when you start talking about exploits that use viral propagation techniques, reducing the number of vulnerable clients starts to payoff exponentially.
<br><br>- Neil<br><br>PS: No, I don&#39;t work for Foxit - just a fan :-)<br><br><div><span class="gmail_quote">On 1/5/07, <b class="gmail_sendername">Amit Klein</b> &lt;<a href="mailto:aksecurity@gmail.com";>aksecurity@gmail.com
</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>The point is - someone with shared IP is vulnerable ONLY to an attacker
<br>with the same IP. Which makes attacks much less generic and much more<br>painful. Rock solid it ain&#39;t, but I think it&#39;s a pretty good band-aid<br>until all (hmmm...) clients upgrade to Acrobat Reader 8.0.<br><br>
-Amit<br><br>----------------------------------------------------------------------------<br>The Web Security Mailing List:<br><a href="http://www.webappsec.org/lists/websecurity/";>http://www.webappsec.org/lists/websecurity/
</a><br><br>The Web Security Mailing List Archives:<br><a href="http://www.webappsec.org/lists/websecurity/archive/";>http://www.webappsec.org/lists/websecurity/archive/</a><br><a href="http://www.webappsec.org/rss/websecurity.rss";>
http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br><br></blockquote></div><br><br clear="all"><br>-- <br>&lt;a href=&quot;<a href="http://www.imwrapper.com/";>http://www.imwrapper.com/</a>&quot; title=&quot;yahoo online status&quot;&gt;&lt;img src=&quot;
<a href="http://www.imwrapper.com/yahoo/smithln/standard";>http://www.imwrapper.com/yahoo/smithln/standard</a>&quot; alt=&quot;yahoo status&quot; title=&quot;yahoo online indicator&quot; border=&quot;0&quot; /&gt;&lt;/a&gt;

------=_Part_25316_30516078.1168060817164--