From: InfoSec News (alertsinfosecnews.org)
Date: Thu Jan 04 2007 - 01:33:27 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9007051

By Jeremy Kirk
January 03, 2007
IDG News Service

Security researchers are poring over what one vendor has called a
"breathtaking" weakness in the Web browser plug-in for Adobe Systems
Inc.'s Acrobat Reader program used to open files in the popular Portable
Document Format.

The problem was first highlighted by researchers Stefano Di Paola and
Giorgio Fedon, who presented a paper in Berlin last week on security
issues related to Web 2.0 technologies such as AJAX (Asynchronous
JavaScript and XML).

The Acrobat weakness involves a feature called "open parameters" in the
Web browser plug-in for the Reader program.

The plug-in allows arbitrary JavaScript code to run on the client side.
The code could include a malicious attack on a computer, wrote Hon Lau
on Symantec Corp.'s Security Response weblog.

"The ease in which this weakness can be exploited is breathtaking," Lau
wrote. "What this means in a nutshell is that anybody hosting a .pdf,
including well-trusted brands and names on the Web, could have their
trust abused and become unwilling partners in crime."

Any Web site hosting a PDF file could be manipulated to run an exploit,
Lau wrote. Because an exploit is relatively easy to craft, Lau predicted
attacks will start until the flaw is fixed.

In their research paper, Di Paola and Fedon wrote that the type of
attack used to exploit the problem is called universal cross-site
scripting, which uses a flaw in the browser rather than a vulnerability
within a Web site. A cross-site scripting attack involves the unintended
execution of code as part of a query string contained within a Web site
address.

Another Symantec blogger, Zulfikar Ramzan, wrote that attackers can
exploit a cross-scripting vulnerability by creating a special URL that
points to the Web page. In that address, the attacker would code it to
include some of his own content -- such as a form soliciting passwords
or credit card information -- that would be displayed on the targeted
Web page.

When victims click on the Web address -- which, for example, could be
included in a link enclosed in e-mail -- they would be directed to the
Web page. If they fill out information on a form on the page, it could
be passed to the attacker without the victim knowing the site had been
tampered with, Ramzan wrote.

"The result is that the user is lulled into a false sense of security
since he trusts the site and therefore trusts any transaction he has
with it, even though in reality he is transacting with an attacker,"
Ramzan wrote.

An Adobe spokesman could not immediately comment.

In highlighting the problem with the Reader plug-in, Di Paola and Fedon
warned that Web 2.0 applications -- such as Google Inc.'s Gmail and
Google Maps, both of which use AJAX -- will need to be more tightly tied
to the security of Web browsers.

Otherwise, the plethora of features in those applications "can be turned
into weapons if controlled by a malicious hacker," they wrote.

_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]