Re: [Full-disclosure] 0-day PDF exploit



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adobe has a work around (but doesn't seem to have a fix yet) for this
vulnerability (which they categorize as "critical"). They also state
(and testing seems to validate) that impact is limited to Windows XP
machines with IE 7.

http://www.adobe.com/support/security/advisories/apsa07-04.html


Justin C. Klein Keane

Sr. Programmer Analyst and Information Security Specialist
University of Pennsylvania
School of Arts and Sciences Computing
3600 Market St.
Philadelphia, PA 19104

eric@xxxxxxxxxx wrote:
Why everybody said it is a zero day about PDF? it's just a fault in
IE7, or just want to make a big media hit? real PDF zero day will
exists in the PDF's file format, or some Adobe's expanded functions.

Actually, it's about PDF *and* IE7. Both are at fault, and if either
one of them was doing the right thing, the exploit would fail.

The first fault is Adobe's. Because it's their code that first
acquires the input from the attacker, it's their job IMHO to validate
it properly, but they don't. Instead, they turn around and tell
Windows to open the bogus URI.

The second fault is IE7's. The protocol handler used to fail
gracefully by rejecting this kind of malformed URI, but now it
doesn't. The new behavior is to turn around and call ShellExecute()
with data taken from the URI.

I prefer to think of it this way: Adobe's code has been doing the
wrong thing for years, and they've gotten lucky. But now, a new bug
in IE7 has come along which makes the old bug in Adobe's code
exploitable.

- Eric


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHFimWR4a3EW2yjlQRAk97AJ4qFK+BsYag6+wvyCtqfKe0BC1TdgCeOMIy
d741rlxtPXXJEoDpVgrQpMQ=
=IQ9P
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] 0-day PDF exploit
    ... IE7, or just want to make a big media hit? ... real PDF zero day will ... The first fault is Adobe's. ... Windows to open the bogus URI. ...
    (Full-Disclosure)
  • Re: [Full-disclosure] 0-day PDF exploit
    ... Yes, you are right, the adobe's fault is allowing to call "mailto" URI without user's validate, but the "remote code execute" is due to MS's fault, I am not prefer or hate any vendor and anyone, but the initial disclosure misleaded me to believe there is a PDF file format vul because "the vulnerability affecting both Adobe Reader and Foxit Reader". ... a new bug in IE7 has come along which makes the old bug in Adobe's code exploitable. ...
    (Full-Disclosure)
  • Re: windows error
    ... In this case, you may have to uninstall IE7, get a fresh copy from MS, ... Faulting application control.exe, version 5.1.2600.0, faulting module ... unknown, version 0.0.0.0, fault address 0x1000640e. ... see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp. ...
    (microsoft.public.windowsxp.general)
  • Re: Sharapova a lousy lay?
    ... "Limp and no very quiet". ... Could of course be his fault:) ... It could also be of course that Uri had her circumcised at ...
    (rec.sport.tennis)
  • Re: Sharapova a lousy lay?
    ... "Limp and no very quiet". ... Could of course be his fault:) ... It could also be of course that Uri had her circumcised at puberty. ...
    (rec.sport.tennis)