The subtle art of JavaScript misdirection

Say you're reading a blog post about eBay's security practices, and the blogger says something provocative maybe about some controversial changes in eBay's new privacy policy, a PDF document for which they've included a link. You click, ignoring the gibberish following the .pdf in the URL. The Adobe Reader plugin in your Internet browser automatically launches, rendering the PDF document as intended. However, a secondary browser window opens, and this time it's an eBay login prompt. Or a fraudulent login prompt that's rather convincing given the context. Would you suspect this is a new form of phishing? After all, you clicked a file that's hosted on eBay, right? Turns out there is a flaw in the open parameters feature of the Adobe Reader plug-in, one that makes such a scenario very real--and potentially very dangerous.

This past week we've actually seen two flaws that make rather common applications--Quicktime and Adobe Reader--execute carefully designed and potentially dangerous JavaScript on your computer. Who knew you could do such wonderful things with JavaScript? Seriously, JavaScript has been around for years; it's a component of the backbone of the modern Internet. Now, suddenly, it's the new playground for criminal hackers. Better for us, it's also a hot area of concern for security researchers. Security Watch: The subtle art of JavaScript misdirection - CNET reviews

Linked by shanmuga Wednesday, 10th January 2007 10:08PM