Adobe PDF XSS Vulnerability
I've been concentrating on work this past week, but I wanted to quickly mention the Adobe PDF XSS vulnerability discovered by Stefano Di Paola and Giorgio Fedon. This is being called UXSS (universal cross-site scripting) due to the fact that it can affect virtually any web site. (The web site just has to host a PDF.)
The basic attack is pretty straightforward:
This path is clearly for Windows, but I'm sure similar local URLs can be found for other platforms.
This is all significant, because as I've mentioned before, XSS matters.
One thing missing from most of the discussion is that this issue does not affect the most recent version of Adobe Acrobat / Reader, which was released last year. I still think this is a very significant discovery, but I don't think such important information should be left out of the discussion to artificially increase concern. Adobe's security advisory provides more details about which versions are affected.
John Dowdell, who I mentioned before when discussing the YouTube security vulnerability, mentions this fact in a post on the topic, and he includes some insight from Leonard Rosenthol of the Adobe Acrobat team:
- This issue only affects the Windows platform. Mac, Linux, etc. users are not affected.
- We found this issue ourselves during our own security/vulnerability testing of Acrobat and introduced a fix as part of Acrobat/Reader 8 for Windows. As such, users of Acrobat/Reader 8 (regardless of browser) are not affected.
- We already have patches prepared for earlier versions of Acrobat and will release those as soon as they are ready. This will address those users who are unable/unwilling to upgrade to Acrobat/Reader 8.
If you're a Windows user, your best bet is to either upgrade to Adobe Acrobat / Reader 8, or disable the plugin from opening within the browser.
If you're an application developer, you can opt to remove all PDFs from your site, or you can force PDFs to be downloaded instead of displayed inline. Richard Lynch has an old post / rant with some useful information. Rich Bowen offers the following advice:
AddType application/octet-stream .pdf
I keep reading about the "anchor tag" not being sent to the server. I finally realized that people mean to say fragment identifier. An anchor tag is just the
<a> tag we use in HTML to create links. (I'll withhold another long-winded rant about technical vocabulary, although that was an interesting discussion.) Hopefully this tidbit can help you if you're trying to follow the ongoing discussion.