AuthorMessage
Ashura
Unstopable
Posts: 370

Quote:

When PDFs Attack!
Posted by Hon Lau on January 3, 2007 05:18 AM
Originaly posted at http://www.symantec.com/enterprise/security_response/weblog/2007/01/when_pdfs_attack.html
We have received reports of a significant problem relating to Adobe Acrobat files and Cross Site Scripting (XSS). A weakness was discovered in the way that the Adobe Reader browser plugin can be made to execute JavaScript code on the client side. This stems from the “Open Parameters” feature in Adobe Reader, which allows for parameters to be sent to the program when opening a .pdf file. Like most things in life, this was a feature designed for benign usage, but unfortunately somebody has discovered that it can also be used for malicious purposes.
This development is significant for a number of reasons:
• The ease in which this weakness can be exploited is breathtaking. Use of this “feature” requires no exploitation of vulnerabilities on the server side.
• Any Web site that hosts a .pdf file can be used to conduct this attack. All the attacker has to do is find out who is hosting a .pdf file on their Web server and then piggy back on it to mount an attack. What this means, in a nutshell, is that anybody hosting a .pdf file, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime.
• Due to the power and flexibility of JavaScript, the attacker has a wide scope for inflicting damage.
This problem appears to be limited to the Firefox browser, which has a relatively large user base. Given that it is easy to exploit, I would expect that we will see this method used considerably in the coming days and weeks, until it is resolved. If you are using Norton Confidential, you are automatically protected against the current exploitation methods utilized in this attack. For others, you can mitigate against attacks by implementing JavaScript filtering capabilities on corporate firewalls and intrusion detection systems, and by disabling Adobe Reader plugin capabilities in Web browsers. In addition, beware of people sending you links to .pdf files on the Web. Check the URL for any unusual text or parameters after the .pdf extension. This would apply to all the usual distribution channels such as email, instant messaging, Web browsing, and so on.
For more information about Cross Site Scripting, you can read Zulfikar’s blog entry about the topic of Phishing and XSS from July of last year.
UPDATE
For more information about this vulnerability, please read Adobe's advisory at http://www.adobe.com/support/security/advisories/apsa07-01.html
UPDATE
You can mitigate this problem by upgrading to Adobe Reader 8.
Alternatively, you can implement a workaround in your browser so that it does not use the Acrobat Reader plugin. The following instructions apply to the Firefox browser:
• In the Tools menu, select Options.
• Select Downloads in the Options dialog.
• Click on the View & Edit Actions button.
• In the Download Actions dialog, choose the action for the PDF extension or the Adobe Acrobat Document file type and then click on Change Action.
• Click on OK, Close and OK to close out of the Options dialog.
UPDATE
Subsequent testing has shown that systems running Internet Explorer 6 and Adobe Reader 7 on Windows XP SP1, and systems with Internet Explorer 6 and Adobe Reader 4 on Windows XP SP2 are also vulnerable to the attack.

here is the exploit itself
[code]# Stefano Di Paola
# http://www.wisec.it/
From Secunia:
Input passed to a hosted PDF file is not properly sanitised by the browser plug-in
before being returned to users. This can be exploited to execute arbitrary script code in
a user's browser session in context of an affected site.
Example:
- http://[host]/[filename].pdf#[some text]=javascript:[code][/code]
GNUCITIZEN has published tutorial on using XSS with JavaScript to exploit a vulnerable client.
Quote:
from http://www.securityfocus.com/brief/401
The XSS flaw affects Acrobat Reader 7 and prior versions on both Internet Explorer and Firefox for Windows. Vulnerable users are advised to either disable JavaScript, upgrade to Acrobat Reader 8, or use an alternative PDF reader
or plug-in for their browser of choice.

well erm i use Opera with Foxitreader (click on link under "alternative PDF reader" for direct download posted month ago on this forum)