|
|
|
|
| |
Scalable Vector Graphics (SVG) is a relatively new XML-based language for creating and controlling vector graphics. The language was standardized and endorsed by the WWW Consortium (W3C).
Several SVG parsers and renderers have been released as browser plugins, but the most popular of them all is Adobe SVG Viewer (ASV). According to Adobe: "Adobe SVG Viewer 3.0 is available in 15 languages and many millions of viewers have already been distributed worldwide."
A vulnerability in the Adobe SVG allows remote attackers to cause the viewer to execute Active Scripting even though it has been specifically disabled. |
| |
Credit:
The original advisory can be found at: http://security.greymagic.com/adv/gm002-mc/.
The information has been provided by GreyMagic Software.
|
| |
Affected applications:
* Adobe SVG Viewer (ASV) 3.0 and prior
* Adobe SVG Viewer 3 Build 76
Note that any other application that embeds ASV is affected as well, including the WebBrowser control. Therefore, any application that makes use of the WebBrowser control is vulnerable (Internet Explorer, AOL Browser, MSN Explorer, etc.).
Technical details:
SVG documents may be manipulated by script, through a full Document Object Model that the plugin exposes. In order to achieve an independent method of manipulation, ASV creates an instance of the Microsoft JScript engine, which is then used to parse and execute scripts blocks that appear in the document.
When parsed in the browser environment, SVG documents are able to interact with the containing HTML document by using the "parent" property. By referring to the HTML document, script running in the SVG document is able to fully control the parent's content.
The problem is that ASV completely disregards the browser's Active Scripting settings. Thereby, making it easy for attackers to utilize scripting abilities and HTML DOM manipulations without having to rely on Active Scripting being enabled by the user.
Many users choose to disable Active Scripting in the browser for security reasons, since even though Active Scripting isn't in itself a threat (in most cases), it happens to be a major component in browser-based attacks.
Demonstation:
GreyMagic put together a proof of concept demonstration (ASV 3.0 or prior required). Turn Active Scripting off before trying it, in order to properly test it.
Solution:
GreyMagic brought this issue to Adobe on 21-Aug-2003. They have devised a patched version (ASV 3.01) and made it available on the official ASV download site.
|
|
|
|
|
|
|
|
|
|
