Pdp,
I agree, it's a client issue and to fix it entirely one has to update
Acrobat.
pdp wrote:
IMHO, you misunderstand the impact of this vulnerability. You are
assuming that the user clicks on a pdf link which executes the
malicious JavaScript. That's not always the case. I've seen various
solutions to this issue and none of them work. The best thing to do is
to upgrade to Reader 7.9 or 8. Even when you try to do some crazy
redirection-token-magic :), it is up to the client to decide how that
is going to be processed. In several simple steps the remote PDF file
can be cached and recalled via
<object data="http://[path to file]"></object>
this also bypasses the content-disposition fix plus several
other fixes.
Did you allready discribe that behavior anywhere, i'd really like to know
bit more about the "several simple steps".
As I said, the best thing to do is to upgrade. Use JavaScript to check
the version of the PDF plugin and if it is less then 7.9 prompt the
user. This is it.
As we all know, it relies on the user whether he/she's going to definitely
patch his/her software. Nonetheless, I would be interested in that
JavaScript.
Thanks,
Cyrill
-------------------------------------------------------------------------
Sponsored by: Watchfire
As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fH6
--------------------------------------------------------------------------
