On Wed, 20 Jun 2001, Rich C wrote:
> Following that logic, such an exploit could be accomplished with a JPG
> viewer or, for that matter, Paint.
Very true. Such things *have* happened. In fact, many popular mail
programs (including Microsoft Outlook, Netscape Messenger, and Pine) have had
buffer exploits in their *header processing code*. This means that simply
*receiving a message* (not even reading it!) can open your system up to
attack.
The first rule of security is: Never assume you are safe.
> The PDF document is simply text, graphics, and formatting information,
> similar to a postscript file. To my knowledge, it doesn't contain any
> script or code; nor can the PDF viewer execute any code based on the data
> in the file.
As far as I know, this is correct, provided you qualify it with
"intentionally". If a malicious hacker finds a vulnerability (due to a bug or
bad design), anything goes.
> Plus, doesn't the Acrobat plug-in run in a sandbox, like Javascript?
Hell no! :-) With MSIE, they use an ActiveX control. ActiveX, for those
who are not aware, is away to embed a *binary program* in a web page and have
the web browser run it. This code runs will the *full privileges* of any
other program.
On Linux, viewing a PDF document simply spawns the regular Acrobat Reader.
Pretty much the same thing.
AFAIK, none of the plug-in systems supported by the various browsers run
anything in a sandbox.
Be afraid. Be very afraid.
--
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do not |
| necessarily represent the views or policy of any other person, entity or |
| organization. All information is provided without warranty of any kind. |
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
