Mailinglist Archive: opensuse-security (78 mails)

< Previous Next >
Re: [suse-security] Does Rich Text hold the same risks as html ?
  • From: "Carlos E. R." <robin1.listas@xxxxxxxxxx>
  • Date: Thu, 26 Jan 2006 01:50:04 +0100 (CET)
  • Message-id: <Pine.LNX.4.61.0601260144070.8192@xxxxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The Wednesday 2006-01-25 at 16:01 -0800, Crispin Cowan wrote:

> * PDF: Did you know that the PDF standard allows for embedded
> Javascript? And that the Adobe Acrobat viewer executes this
> Javascript? Much much scarier than web bugs.
> o Danger: This Javascript is *explicitly* used by various
> document providers (marketing) to determine who is reading
> their documents.
> o Danger: Javascript is a programming language, and they can
> embed as much malicious code as they want to, running with
> the privilege as the user displaying the document. Do not
> *ever* view a PDF as root.

I thought this only applied to acrobat version 7. Also, I though that
other viewers, like xpdf, were safe in this respect.

A trick was published here about how to block acroread from contacting
internet outside, using the local machine firewall.

> This message was composed in HTML, and then rendered down into 7-bit
> ASCII before sending, for your safety :)

Very interesting writeup, thank you!

- --
Cheers,
Carlos Robinson

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQFD2BzNtTMYHG2NR9URAtBXAKCQJ9rTOkAmxYW3T8eObrQPbLgJSgCggvPJ
caUl31joikJ1LYueNlSOnbk=
=tcS2
-----END PGP SIGNATURE-----


< Previous Next >