Adobe Universal XSS
Discussion
In September pdp and I did some really fun work involving backdooring PDF files. It opened alot of eyes and some back accounts in getting it fixed. Now Stefano Di Paola and Giorgio Fedon have found a way to perform universal XSS attacks on systems with Adobe Reader and Professional installed.
Affected Versions
According to pdp the following versions have been found vulnerable:
- IE 6 SP 1 with version of Acro Reader older than 8.0
- Firefox 2.0.0.1 win32
- Firefox 1.5.0.8 win32
- Opera 8.5.4 build 770 win32
- Opera 9.10.8679 win32
Not Vulnerable:
- IE7.0 win32
Exploitation:
http://[URL]/[FILENAME].pdf#something=javascript:alert(123);
sven released some nice POC exploits using this vulnerability, see:
http://www.disenchant.ch/blog/hacking-with-browser-plugins/
Solutions:
This brings back memories from last year. Those who learn’t from our previous post on backdooring PDF files will be immune to this attack. Some suggestions:
- Use foxit PDF reader rather then Adobe (JavaScript is disabled by default)
- If you must stick with Adobe then disable all default plugins that are not in use. See bipin’s comment on our original findings http://michaeldaw.org/md-hacks/backdooring-pdf-files/#comment-42
- Upgrade to Adobe 8
Hi, I’m sorry for the wait on this, but the Adobe Security Advisory is up now, with best info:
http://www.adobe.com/support/security/advisories/apsa07-01.html
(I appreciate your mention that this was already addressed in the free Adobe Reader 8 download, by the way!)
If you see any other potential risks with any Adobe software then it would be great to hear concerns here, thanks:
http://www.adobe.com/support/security/alertus.html
jd/adobe
jd no problem. Thanks for keeping us informed.