Pdp,
I agree, it's a client issue and to fix it entirely one has to update
Acrobat.
> pdp wrote:
>
> IMHO, you misunderstand the impact of this vulnerability. You are
> assuming that the user clicks on a pdf link which executes the
> malicious JavaScript. That's not always the case. I've seen various
> solutions to this issue and none of them work. The best thing to do is
> to upgrade to Reader 7.9 or 8. Even when you try to do some crazy
> redirection-token-magic :), it is up to the client to decide how that
> is going to be processed. In several simple steps the remote PDF file
> can be cached and recalled via
>
> <object data="http://[path to file]"></object>
>
> this also bypasses the content-disposition fix plus several
> other fixes.
Did you allready discribe that behavior anywhere, i'd really like to know
bit more about the "several simple steps".
>
> As I said, the best thing to do is to upgrade. Use JavaScript to check
> the version of the PDF plugin and if it is less then 7.9 prompt the
> user. This is it.
As we all know, it relies on the user whether he/she's going to definitely
patch his/her software. Nonetheless, I would be interested in that
JavaScript.
Thanks,
Cyrill
-------------------------------------------------------------------------
Sponsored by: Watchfire
As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fH6
--------------------------------------------------------------------------
Received on Feb 14 2007
Intro
