Carlos E. R. wrote:
The Wednesday 2006-01-25 at 16:01 -0800, Crispin Cowan wrote:
* PDF: Did you know that the PDF standard allows for embedded Javascript? And that the Adobe Acrobat viewer executes this ...
I thought this only applied to acrobat version 7. Also, I though that other viewers, like xpdf, were safe in this respect. I first noticed this behavior in Acrobat 7. I do not know for sure whether or not other PDF viewers do or do not implement the Javascript functionality. It would not surprise me to see a Javascript "improvement" appear in them some time.
A trick was published here about how to block acroread from contacting internet outside, using the local machine firewall. I posted a trick of how to prevent it using AppArmor, which is to deny Acrobat read access to the Javascript libraries. If there was a firewall-based trick, I haven't seen it. I have some issue with whether it *could* work; you are going to want to configure your firewall so that HTTP requests can go out port 80, and there is nothing to prevent the Javascript from using exactly that channel to get their message out.
Serious security stud muffins might argue that they would have web access blocked on their super secret machines. But what about DNS? Because web-bug information can be sent out via contrived DNS requests too. DNS makes a great channel for sneaking data around networks, because just about all firewalls pass it, so you can always get it through, so long as you have a DNS server that will collaborate with your signals. Long ago, Marcus Ranum allegedly implemented Telnet running over DNS. More recently, Dan Kaminsky has made a career out of demonstrating stuff as sophisticated as streaming video over DNS. The important take home lesson here is that if malware gets inside your protection, it almost certainly can export data out through any firewall. You have to do something more specific to prevent it from exporting your secret data.
Very interesting writeup, thank you! Thanks!
Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Olympic Games: The Bi-Annual Festival of Corruption