| |
 |
 |
 |
|
|
|
|
Date: 25 September 2007
Click here for printable version
Late last week there was a post to the BugTraq and Full Disclosure security mailing lists with a subject of "0day: PDF pwns Windows". It contained a URL of http://www.gnucitizen.org/blog/0day-pdf-pwns-windows, but contained very little detail. The web site didn't contain any additional information, but was later updated to include a movie of the alleged exploit. As usual, Full Disclosure then went off on a tangent to argue about the definition of "0day".
This researcher claims this is a high risk vulnerability which can "completely" compromise your windows box. But it is unclear whether this vulnerability is allows execution of commands as the logged in user or SYSTEM.
This leaves us with an alleged vulnerability in Adobe Acrobat/Reader, without any information as to where this lies, if the vendor has been contacted or mitigation strategies beyond "My advise [sic] for you is not to open any PDF files (locally or remotely)". We contacted Adobe and they have confirmed they are investigating, but we currently have no useful additional details to pass on to you, our constituents.
This security researcher has not provided enough details for bad guys to start using this vulnerability in the wild nor for good guys to be able to put in practical mitigation measures. Also, he/she did not choose to notify the vendor, instead stating "Adobe’s representatives can contact me from the usual place." and posting this to public security mailing lists. This security researcher could have quietly reported this vulnerability to Adobe (they even have a web form for this very purpose) who would have fixed the problem and released a patch/advisory, crediting the researcher. This appears to have been insufficient for this researcher as I can see no reason to disclose a vulnerability in this way except for notoriety. So ego still gets a look in for a motivator in vulnerability research albeit a poor second to money. Although, others have successfully converted notoriety into money, but it seems a long way around in this case.
This is a situation that we see quite a bit at AusCERT - unconfirmed vulnerabilities without sufficient information to reproduce them, no confirmation of this vulnerability from the vendor and no mitigation or patch information. We typically do not send out a bulletin in these situations as we feel that the AusCERT membership would not benefit from such a vague warning. But on the other hand, based on this information, some may decide to take some action (e.g. quarantining incoming PDF files to an organisation). So, we'd be interested in hearing from our membership if they want to receive this information, what they would do (if anything) and what would be the best way to receive it.
Regards,
Rob
|
|
|
|
 |
|
 |
|
|