A reasonably nasty one this morning, imagine you could run a JavaScript on a remote host by adding some code to a URL for a real PDF file; well you can!
This is totally client side, the URL is using the anchor in the PDF URL to get Acrobat to run the JavaScript. To test if you are vulnerable here is a Demonstration link with a javascript:alert(123)
Depending on how the client is protecting itself from scripts, you could start doing some pretty nasty stuff in the context of the site that is hosting the pdf.
Mitigation:
This appears to be fixed in Adobe Acrobat/Reader 8, another reason to update. When you click the link the plug-in gives an error message “This operation is not allowed”
If you cannot update to Acrobat v8 then;
- Turn off JavaScript in your browser
- Use the NoScript Add-on for Firefox
- Stop Acrobat Reader from running as a browser-plugin
Adobe Acrobat Reader > Edit menu > Preferences > un-check “Display PDF in browser”
Preview in OS-X does not process the Javascript.
LINKS:
[1.] Subverting AJAX [23rd Chaos Communication Congress]
[2.] DANGER, DANGER, DANGER (03-Jan-2007) [GNUCITIZEN]
[3.] Adobe Acrobat JavaScript Execution Bug (03-Jan-2007) [SlashDot]
[4.] PDF XSS vulnerability announced at CCC (03-Jan-2007) [SANS]
[5.] Adobe Reader Cross-Site Scripting Vulnerability SA23483 (03-Jan-2007) [Secunia]
Thanks for passing along the info about how the current version of Adobe Reader already prevents this.
The Adobe Security Advisory on the subject just went live this evening too:
http://www.adobe.com/support/security/advisories/apsa07-01.html
tx, jd/adobe
Hello,
might be a bit off topic, but I also very much dislike that Adobe Reader has JavaScript capabilities. I recommend anyone to disable JavaScript in Adobe Reader:
http://netzreport.googlepages.com/how_to_use_adobe_read_no_javascript.html
Gerhard Milke