-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 They are just covering their asses in case someone figures out a scenario where this bug is actually useful, and tries going on a media whoring campaign talking about how evil Adobe is for not originally rating the vulnerability higher.
You bunch of whiny, prissy homo fucks. On Wed, 17 Oct 2007 11:26:15 -0400 Justin Klein Keane <[EMAIL PROTECTED]> wrote: >Adobe has a work around (but doesn't seem to have a fix yet) for >this >vulnerability (which they categorize as "critical"). They also >state >(and testing seems to validate) that impact is limited to Windows >XP >machines with IE 7. > >http://www.adobe.com/support/security/advisories/apsa07-04.html > > >Justin C. Klein Keane > >Sr. Programmer Analyst and Information Security Specialist >University of Pennsylvania >School of Arts and Sciences Computing >3600 Market St. >Philadelphia, PA 19104 > >[EMAIL PROTECTED] wrote: >>> Why everybody said it is a zero day about PDF? it's just a >fault in >>> IE7, or just want to make a big media hit? real PDF zero day >will >>> exists in the PDF's file format, or some Adobe's expanded >functions. >> >> Actually, it's about PDF *and* IE7. Both are at fault, and if >either >> one of them was doing the right thing, the exploit would fail. >> >> The first fault is Adobe's. Because it's their code that first > >> acquires the input from the attacker, it's their job IMHO to >validate >> it properly, but they don't. Instead, they turn around and tell > >> Windows to open the bogus URI. >> >> The second fault is IE7's. The protocol handler used to fail >> gracefully by rejecting this kind of malformed URI, but now it >> doesn't. The new behavior is to turn around and call >ShellExecute() >> with data taken from the URI. >> >> I prefer to think of it this way: Adobe's code has been doing >the >> wrong thing for years, and they've gotten lucky. But now, a new >bug >> in IE7 has come along which makes the old bug in Adobe's code >> exploitable. >> >> - Eric >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkcWTeEACgkQqTTbVuUWvbL7LgP/b8ib2UBMcPrOyi3cVtFtveVObHlP p1h19e9S1b4AX8POCp/C1+ZnoqIv51iAEgAQVAaRTewpk/JDuDMq2D34+qGQis5l3Tvv Nm37F96N3WTZ8B20CFMLAnumQXwVHaXo4u3pbpgEW3C6oYApd8uYqG/PuBYn5LzTQNqt g8VyM/g= =oTlt -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
