Much Ado About Adobe and Universal XSS
I've been putting this off since I wanted to do it justice in explaining why all of a sudden cross-site scripting (XSS) attacks are relevant to client-side security rather than mostly server-side. It's a very important paradigm shift which may or may not be repeated in other applications in the future. Stop on by to the Wikipedia site on XSS if you need a refresher on cross-site scripting.
So the web-application security types were pretty astounded to find that a browser plugin, Adobe Reader v7 and below, allowed JavaScript to be appended to URLs. This functionally made it so that if a user was using the Acrobat browser plugin, any site which hosted any .pdf file, could potentially be exploited via XSS attacks. Jeremiah Grossman, who writes about web-application security (the traditional domain of XSS) made a very good blog post about the implications of what is now being referred to as a Universal-XSS (UXSS) attack.
Beyond that, you will see in that link that he links to a post by RSnake, another web-application security fixture, which shows that if you can get a user to click a file:// link (or not, remember your IFRAME basics ;)) to the default example pdf included with Adobe Reader, you can then have JavaScript running in the local user context. For an example of some of the more creative stuff that Grossman has shown malicious JavaScript capable of, check out his slides from last BlackHat.
Generally I have never been very interested in XSS, but reading about this issue has got me thinking a bit. The HoneyClient project's first and foremost concern is the issue of malicious servers exploiting vulnerable clients. But then we are actually acting with a secondary, and implicit assumption, which is that the server is attacking the client to compromise the client itself. When you start getting into XSS or Cross-Site Request Forgery (CSRF) you're actually having a server exploit a client so it can generally turn around and exploit some other server (by stealing the user's credentials to gain access to the server, attacking the applications running on the server, etc). It's just a slight twist which leads to such an expansive area of vulnerabilities.
Anyway, the whole issue with the UXSS was not present in the recently released v8 of Adobe Reader, and Adobe eventually released 7.0.8 to deal with this issue. Their advisory can be found here, and this issue was assigned CVE-2007-0045.
