Sunday, March 13, 2016

Fast-Forward: JavaScript API Exploits


"Abusing Adobe Reader's JavaScript APIs" is a panel presentation from three members of HP's Zero Day Initiative program that was delivered at DEF CON 23, held August 6–9, 2015, in Las Vegas.

It's worth noting that portions of this talk, including the number of known Adobe Acrobat Reader API exploits, were time sensitive and may have been patched at the time of this blog post. Right around the 4-minute mark they explain how during their research, many patches have come out from Adobe that claim to fix this problem, but the team and their bug bounty program continue to find exploits. The exploits appear to be plentiful. During the presentation Brian Gorenc (@Maliciousinput) mentions that they found a new JavaScript exploit while the group was in the airplane on the way to the conference.

It's also worth noting that it is very easy to disable JavaScript in Acrobat with a few clicks; however, it is enabled by default, and the most vulnerable users continue to be the folks who do not update to the latest version of this free software or have disabled autoupdate notifications entirely. Thirty minutes into the talk, Abdul-Aziz Hariri (@abdhariri) also explains which versions are affected — this information is not included in the slides provided on the DEF CON website. To summarize: Mac OS X is extremely vulnerable, and the "Pro" version in Windows is (or was) too.

As a final caveat, the Adobe Acrobat exploits described in this talk require users to openthe malicious PDF, either accidentally or intentionally through social engineering. Once they do this, the exploits are "chained" in a way to execute "cleanly" in the background without the user noticing any interruption. This is a departure from memory corruption or fuzzing techniques that the presenters note as having less predictable behavior in the wild, and these JavaScript API exploits are far more sinister because it all occurs transparently to end users.

At 12 minutes in, Jasiel Spelman (@WanderingGlitch) explains how the team discovers these exploits. If you are familiar with JavaScript, this section of the presentation is worth your time. If not, the takeaway is that they found manyundocumented API calls, and the undocumented ones make it a lot easier to elevate privileges. Readers of January's Fast-Forward blog post may note that this "known unknown" element is very similar to the problems security professionals face withshadow IT and shadow data. It can perhaps serve as a reminder that when we talk about data privacy, the discussion should include proactive data discovery and auditing as key elements.

For a full wrap-up of this talk, concluding remarks begin at minute 34, which are preceded by a live demo of the exploits in Window 8.1 and Mac OS X.

© 2016 Christopher Markman. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.

No comments: