|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Dave Korn (dave.korn
artimi.com)
Date: Mon Jul 28 2008 - 11:54:00 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Petja van der Lek wrote on 28 July 2008 16:22:
> A word of warning might be in order: the PDF is filled with hyperlinks
> to (presumably) live malware sites. Navigating the document is therefore
> not unlike playing Minesweeper. Red flags are not powerups but mean
> "danger". Mis-click to get pwned.
<boggle> You allow your browser to run javascript ... by default? ... or
only specifically when studying malware?
> Stuff like that. You might want to use
> a reader that at least asks for confirmation before it serves up the
> site in your browser (a quick test shows that Adobe Reader 7 as a
> Firefox plugin
<double-boggle> You read PDFs in your browser using the plugin?[*]
> happily opens a link without asking anything, for instance).
You're barking up the wrong hole here. The problem isn't that if you
click a link in a PDF document viewed in your browser you will browse
straight to it; that's no different than clicking a link on a HTML page
viewed in your browser, and you wouldn't expect it to ask before it followed
a link there. The problem is that you're running untrusted scripts: you're
as vulnerable to getting pwned by an iframe banner ad on MSN or Yahoo as you
are to clumsily clicking a link in a document about malware.
Seriously, nobody should even be here if they don't appreciate that
they're dealing with live munitions and know how to handle them safely.
cheers,
DaveK
[*] - that's not really a security boggle, that's more of a
how-the-hell-long-before-I-get-control-of-my-browser-back-thank-you-very-muc
h-adobe-and-your-godawful-bloatware boggle. Though of course I would still
recommend downloading PDFs with "Save link as..." and viewing them in foxit
so that they're not in the same process space as your browser, just for a
bit of added insulation.
--
Can't think of a witty .sigline today....
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]