| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <47162997.3010909@sas.upenn.edu> Date: Wed, 17 Oct 2007 11:26:15 -0400 From: Justin Klein Keane <jukeane@....upenn.edu> To: full-disclosure@...ts.grok.org.uk Subject: Re: 0-day PDF exploit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adobe has a work around (but doesn't seem to have a fix yet) for this vulnerability (which they categorize as "critical"). They also state (and testing seems to validate) that impact is limited to Windows XP machines with IE 7. http://www.adobe.com/support/security/advisories/apsa07-04.html Justin C. Klein Keane Sr. Programmer Analyst and Information Security Specialist University of Pennsylvania School of Arts and Sciences Computing 3600 Market St. Philadelphia, PA 19104 eric@...hner.us wrote: >> Why everybody said it is a zero day about PDF? it's just a fault in >> IE7, or just want to make a big media hit? real PDF zero day will >> exists in the PDF's file format, or some Adobe's expanded functions. > > Actually, it's about PDF *and* IE7. Both are at fault, and if either > one of them was doing the right thing, the exploit would fail. > > The first fault is Adobe's. Because it's their code that first > acquires the input from the attacker, it's their job IMHO to validate > it properly, but they don't. Instead, they turn around and tell > Windows to open the bogus URI. > > The second fault is IE7's. The protocol handler used to fail > gracefully by rejecting this kind of malformed URI, but now it > doesn't. The new behavior is to turn around and call ShellExecute() > with data taken from the URI. > > I prefer to think of it this way: Adobe's code has been doing the > wrong thing for years, and they've gotten lucky. But now, a new bug > in IE7 has come along which makes the old bug in Adobe's code > exploitable. > > - Eric > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFHFimWR4a3EW2yjlQRAk97AJ4qFK+BsYag6+wvyCtqfKe0BC1TdgCeOMIy d741rlxtPXXJEoDpVgrQpMQ= =IQ9P -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists