Dailydave mailing list archives
Re: Blog spam, obfuscated javascript and more!
From: "Dave Korn" <dave.korn () artimi com>
Date: Mon, 28 Jul 2008 17:54:00 +0100
Petja van der Lek wrote on 28 July 2008 16:22:
A word of warning might be in order: the PDF is filled with hyperlinks to (presumably) live malware sites. Navigating the document is therefore not unlike playing Minesweeper. Red flags are not powerups but mean "danger". Mis-click to get pwned.
<boggle> You allow your browser to run javascript ... by default? ... or only specifically when studying malware?
Stuff like that. You might want to use a reader that at least asks for confirmation before it serves up the site in your browser (a quick test shows that Adobe Reader 7 as a Firefox plugin
<double-boggle> You read PDFs in your browser using the plugin?[*]
happily opens a link without asking anything, for instance).
You're barking up the wrong hole here. The problem isn't that if you
click a link in a PDF document viewed in your browser you will browse
straight to it; that's no different than clicking a link on a HTML page
viewed in your browser, and you wouldn't expect it to ask before it followed
a link there. The problem is that you're running untrusted scripts: you're
as vulnerable to getting pwned by an iframe banner ad on MSN or Yahoo as you
are to clumsily clicking a link in a document about malware.
Seriously, nobody should even be here if they don't appreciate that
they're dealing with live munitions and know how to handle them safely.
cheers,
DaveK
[*] - that's not really a security boggle, that's more of a
how-the-hell-long-before-I-get-control-of-my-browser-back-thank-you-very-muc
h-adobe-and-your-godawful-bloatware boggle. Though of course I would still
recommend downloading PDFs with "Save link as..." and viewing them in foxit
so that they're not in the same process space as your browser, just for a
bit of added insulation.
--
Can't think of a witty .sigline today....
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Blog spam, obfuscated javascript and more! val smith (Jul 28)
- Re: Blog spam, obfuscated javascript and more! Petja van der Lek (Jul 28)
- Re: Blog spam, obfuscated javascript and more! Dave Korn (Jul 28)
- Re: Blog spam, obfuscated javascript and more! Petja van der Lek (Jul 28)
- Re: Blog spam, obfuscated javascript and more! val smith (Jul 28)
- Re: Blog spam, obfuscated javascript and more! Dave Korn (Jul 28)
- Re: Blog spam, obfuscated javascript and more! Petja van der Lek (Jul 28)