[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Does Rich Text hold the same risks as html ?

To: suse-security@xxxxxxxx
Subject: Re: [suse-security] Does Rich Text hold the same risks as html ?
From: "Michel Messerschmidt" <lists@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 26 Jan 2006 10:16:58 +0100 (CET)
Delivered-to: mailing list suse-security@xxxxxxxx
Importance: Normal
In-reply-to: <Pine.LNX.4.61.0601260144070.8192@xxxxxxxxxxxxxxxx>
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
References: <22ef5ea70601240647n32dbe610g5330a2b24010df59@xxxxxxxxxxxxxx><200601241332.54597.jfweber@xxxxxxxxxxxxx> <43D8115A.3030501@xxxxxxxxxx> <Pine.LNX.4.61.0601260144070.8192@xxxxxxxxxxxxxxxx>
Reply-to: lists@xxxxxxxxxxxxxxxxxxxxxxx
User-agent: SquirrelMail/1.4.2

Carlos E. R. said:
> The Wednesday 2006-01-25 at 16:01 -0800, Crispin Cowan wrote:
>>     * PDF: Did you know that the PDF standard allows for embedded
>>       Javascript? And that the Adobe Acrobat viewer executes this
>>       Javascript? Much much scarier than web bugs.
>
> I thought this only applied to acrobat version 7. Also, I though that
> other viewers, like xpdf, were safe in this respect.

Javascript is included in the PDF specificaton at least since v1.3
(i.e. Acrobat 4).
And PDF supports event-triggered "auto-open" scripts with the same bad
security design as MS Office formats (see chapter 8.5.2 in
http://partners.adobe.com/public/developer/en/pdf/PDFReference.pdf for
details).

I'm not sure if xpdf implements the javascript functionality.

For Acrobat, javascript/ECMAscript functionality is implemented as a
plugin called "Escript.api" (found in the "plug_ins" subdirectory).
To disable a plugin, simply remove it from this directory (including
any subdirectories).
Warning: Many other plugins depend on javascript (including the plugins
for forms, spellcheck, weblinks, accessability, digital signatures,
multimedia). All these won't work properly without javascript.

-- 
Michel Messerschmidt, lists@xxxxxxxxxxxxxxxxxxxxxxx

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

Follow-Ups:
- Re: [suse-security] Does Rich Text hold the same risks as html ?
  - From: Marcus Meissner

References:
- [suse-security] susefirewall2
  - From: Walter Pabon Guerra
- Re: [suse-security] Does Rich Text hold the same risks as html ?
  - From: jfweber
- Re: [suse-security] Does Rich Text hold the same risks as html ?
  - From: Crispin Cowan
- Re: [suse-security] Does Rich Text hold the same risks as html ?
  - From: Carlos E. R.

Prev by Date: Re: [suse-security] Does Rich Text hold the same risks as html ?
Next by Date: Re: [suse-security] Does Rich Text hold the same risks as html ?
Previous by thread: Re: [suse-security] Does Rich Text hold the same risks as html ?
Next by thread: Re: [suse-security] Does Rich Text hold the same risks as html ?
Index(es):
- Date
- Thread