Tuesday, September 05, 2006

JavaScript Malware embedded in everything

pdp (architect) from gnucitizen has been a on tear releasing new methods of injecting JavaScript Malware into a web browser. Most recently with backdooring QuickTime Movies and Flash Objects, complete with visual tutorials and source code. Then pdp has the AttackAPI, which "provides simple and intuitive web programmable interface for composing attack vectors with JavaScript and other client (and server) related technologies." I haven't had time to play with yet, but it looks really cool! Nice job pdp, keep up the good work!

Let's stop for a moment take stock of where we are at with web browser security.

JavaScript: Bad
Flash: Bad
QuickTime: Bad
Flash: Bad
PDF: Bad
Applets: Bad
ActiveX: Very Bad
Firefox Extensions: Safe, but vultures are circling.
CSS: Safe, but vultures are circling.

Now what about mp3's, wmv's, midi's, etc, do these have facilities for including JavaScript? Maybe its time to go back to Lynx. Then what fun would the world be. :)

4 comments:

Anonymous said...

You state that PDF is BAD - but give no rational or explanation.

I would appreciate it if you could document any/all "BAD THINGS" in PDF, as far as malware goes.

Thanks,
Leonard

Jeremiah Grossman said...

Sure thing, another blogger had the same question and began his own thread "Backdooring PDF Files". I haven't had time to through his research, but looks really interesting.

What I was refering to at the time of my post was a mailing list thread, PDF to JavaScript to XML to Exploit, from last year.

"Sverre Huseby (thathost.com) found that new Adobe Acrobat Reader (v7.0) had supported implementations of JavaScript and XML. An attack can be accomplished by having JavaScript execute at PDF document run- time to create an XML Object. The XML Object then makes use of an embedded XML Entity. The XML entity is then able to read in local files (per the XML spec), including /etc/password."

More links within.

Anonymous said...

I have already posted about the "Backdooring PDF" that both of the "doors" were closed by Adobe more than 9 months ago - and that when using the current of either Reader or Acrobat users will be warned when his POCs execute. No issue!

As to the other, I hadn't seen that - thanks for bringing it to my attention! I do see where again Adobe closed that hole a number of months ago. So no problems there either.

LDR

Jeremiah Grossman said...

Yah, the known issues look patched. As a user, you have the ability to protect yourself.

For myself though, anything that supports embedded JavaScript sends a shiver down my spine. That's all I meant by the post... listing out what browser supported file-types can potentially host JavaScript Malware.

Thanks for posting!