|
After reading the vulnerability found in Adobe Acrobat reader, which allows an embedded .exe file to launch without user interaction, I was thinking about the risk this really creates. The user still has to click through warnings, and the researcher also found out a method to change the text in the warnings ... This together is called a 'vulnerability'... I don't really agree... The reader obv has some protection built in, the file does NOT launch without user interaction at all ... To prove my point I have simulated his research in MS Word. In my POC the file does not automatically open either, but the user is told the document is encrypted and he should click to decrypt and accept warnings ... VERY similar to the PDF 'exploit/vulnerability' If we start calling this a vulnerability, I think we should stop using software all together ... The vulnerability is the user stupidity. Don't open files from an untrusted source and dont follow instructions that say 'just click past the 5 warning windows that are coming now ..'. Tested on WinXP / Win7 with some random Office version (I could care less, and on the computer I am on now, I dont even have Office installed...) Does NOT work on : Open Office, Google Docs Download file here : 
|
|
Last Updated ( Thursday, 01 April 2010 )
|
