[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] 0-day PDF exploit

To: "cocoruder ." <frankruder@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] 0-day PDF exploit
From: eric@xxxxxxxxxx
Date: Wed, 17 Oct 2007 03:07:16 -0700

> Why everybody said it is a zero day about PDF? it's just a fault in
> IE7, or just want to make a big media hit? real PDF zero day will
> exists in the PDF's file format, or some Adobe's expanded functions.

Actually, it's about PDF *and* IE7.  Both are at fault, and if either  
one of them was doing the right thing, the exploit would fail.

The first fault is Adobe's.  Because it's their code that first  
acquires the input from the attacker, it's their job IMHO to validate  
it properly, but they don't.  Instead, they turn around and tell  
Windows to open the bogus URI.

The second fault is IE7's.  The protocol handler used to fail  
gracefully by rejecting this kind of malformed URI, but now it  
doesn't.  The new behavior is to turn around and call ShellExecute()  
with data taken from the URI.

I prefer to think of it this way: Adobe's code has been doing the  
wrong thing for years, and they've gotten lucky.  But now, a new bug  
in IE7 has come along which makes the old bug in Adobe's code  
exploitable.

- Eric


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] 0-day PDF exploit
  - From: Justin Klein Keane
- Re: [Full-disclosure] 0-day PDF exploit
  - From: cocoruder .

References:
- Re: [Full-disclosure] 0-day PDF exploit
  - From: cocoruder .

Prev by Date: Re: [Full-disclosure] *****SPAM***** OMG - I just won the lottery! For real!!11!
Next by Date: [Full-disclosure] Net & System Security 2007
Previous by thread: Re: [Full-disclosure] 0-day PDF exploit
Next by thread: Re: [Full-disclosure] 0-day PDF exploit
Index(es):
- Date
- Thread