From: eric@xxxxxxxxxx
To: "cocoruder ." <frankruder@xxxxxxxxxxx>
CC: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] 0-day PDF exploit
Date: Wed, 17 Oct 2007 03:07:16 -0700
Why everybody said it is a zero day about PDF? it's just a fault in
IE7, or just want to make a big media hit? real PDF zero day will
exists in the PDF's file format, or some Adobe's expanded
functions.
Actually, it's about PDF *and* IE7. Both are at fault, and if
either one of them was doing the right thing, the exploit would
fail.
The first fault is Adobe's. Because it's their code that first
acquires the input from the attacker, it's their job IMHO to
validate it properly, but they don't. Instead, they turn around
and tell Windows to open the bogus URI.
The second fault is IE7's. The protocol handler used to fail
gracefully by rejecting this kind of malformed URI, but now it
doesn't. The new behavior is to turn around and call ShellExecute()
with data taken from the URI.
I prefer to think of it this way: Adobe's code has been doing the
wrong thing for years, and they've gotten lucky. But now, a new bug
in IE7 has come along which makes the old bug in Adobe's code
exploitable.
- Eric