Security

PDF XSS hits the fan

Leave a comment

Another nasty to follow-up on yesterday’s QuickTime post, GnuCitizen reports that PDFs prior to version 8.0 appear to have a serious XSS flaw, and it only seems to impact Acrobat on certain platforms:

PDF documents can execute JavaScript code for no apparent reason by using the following template.

http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here

You must understand that the attacker doesn’t need to have write access to the specified PDF document. In order to get an XSS vector working you need to have a PDF file hosted on the target and that’s all about it. The rest is just a matter of your abilities and desires.

This finding was originally mentioned by Sven Vetsch, on his blog. The attack vector was discovered by Stefano Di Paola and Giorgio Fedon. This is a very good and quite interesting finding. Good work.

Time to upgrade? Unfortunately the attack is client-side (e.g. uses anchor points, as specified after the # and in page seven of the HighlightFileFormat PDF developer spec). I have to say I’ve been far more wary of PDFs since I noticed Acrobat (writer) code taking up more space than Microsoft Office.

adobe chairThe functionality bundled in by product managers is often overwhelming when most of us really (really!) just want a simple pre-formatted viewer…it’s like being given a top-end massage recliner with built-in multimedia, a cooler, drink holders and remote controllers when all you asked for was a place to sit down.

The original paper by Stefano Di Paola and Giorgio Fedon, released December 2006, can be found here. And, of course, it’s a PDF.

EDITED TO ADD (5 Jan 2007): Local system implication is discussed here, and some comments point to a firefox fix.

History, Security

America’s Holy Blackwater

Leave a comment

Here is an interesting report on militant American forces operating in Iraq and elsewhere:

The former New York Times Mideast Bureau chief warns that the radical Christian right is coming dangerously close to its goal of co-opting the country’s military and law enforcement.

The drive by the Christian right to take control of military chaplaincies, which now sees radical Christians holding roughly 50 percent of chaplaincy appointments in the armed services and service academies, is part of a much larger effort to politicize the military and law enforcement. This effort signals the final and perhaps most deadly stage in the long campaign by the radical Christian right to dismantle America’s open society and build a theocratic state. A successful politicization of the military would signal the end of our democracy.

The parallels with historic militarist movements are obvious:

“Contracting out security to groups like Blackwater undermines our constitutional democracy,â€? said Michael Ratner, the president of the Center for Constitutional Rights. “Their actions may not be subject to constitutional limitations that apply to both federal and state officials and employees—including First Amendment and Fourth Amendment rights to be free from illegal searches and seizures. Unlike police officers they are not trained in protecting constitutional rights and unlike police officers or the military they have no system of accountability whether within their organization or outside it. These kind of paramilitary groups bring to mind Nazi Party brownshirts, functioning as an extrajudicial enforcement mechanism that can and does operate outside the law. The use of these paramilitary groups is an extremely dangerous threat to our rights.”

I was thinking more about the Taliban or the Spanish Civil War, but point taken. It’s no longer sufficient to understand what’s the matter with Kansas, it’s becoming necessary to observe moderate Christians being swept out of public office by militant, organized, rich and highly political radical fringe groups claiming to fight secular bogeyman, or terrorists, or Muslims, or whatever else they can stand on to justify their supremacy in a time of “need”. The clear irony is that fundamentalists always end up quietly moving towards a police-state on a platform that says they must intervene to prevent any movement towards a police-state.

Food, Security

Swedish goats at vanguard of fire-proofing tech

Leave a comment

The BBC has posted an amusing security lesson about the historic battle between arsonists and the keepers of a straw goat:

Goats of Christmas past have been burned down on 22 occasions, ram-raided or simply smashed to pieces.

Authorities said the goat’s longevity in 2006 was down to a special flame-resistant chemical coating.

“If the Gavle goat hadn’t been impregnated with flame-resistant chemicals, we would have been left with a black skeleton,” said Anna Oestman, a member of the city’s goat committee.

Leave it to a Swedish city’s “goat committee” to provide the world a way to protect straw from catching fire. But is it safe to touch/breathe, and can animals eat it, or is it just for decoration (like most food preserved and then brought out for the holiday season)?

This year was a big success compared to last year’s tragic end:

In 2005, arsonists dressed as Santa Claus and the Gingerbread Man burned the goat to the ground.

Beware the Santa who wants to get your goat.