Adobe SVG Viewer Fails to Observe Your Active Scripting Security Settings
SecurityTracker Alert ID: 1007891|
SecurityTracker URL: http://securitytracker.com/id/1007891
(Links to External Site)
Date: Oct 7 2003
Execution of arbitrary code via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 3.0 and prior versions|
A vulnerability was reported in the Adobe SVG Viewer. The viewer bypasses the target user's Active Scripting security settings. Applications such as web browsers that embed the SVG Viewer WebBrowser control are also affected.|
GreyMagic Software reported that a remote user can create a Scalable Vector Graphics (SVG) document or HTML that, when loaded by the target user, invokes the viewer and executes Active Scripting on the target user's system, even if the target user has ostensibly disabled Active Scripting.
By design, the viewer provides a Document Object Model that allows scripting code to manipulate SVG documents using the Microsoft JScript engine, the report said. If an HTML document refers to an SVG document, the scripting code can reportedly control the parent HTML document, but the target user's web browser Active Scripting security settings are ignored.
A demonstration exploit is available at:
The vendor was reportedly notified on August 21, 2003.
A remote user can create content that will bypass the target user's Active Scripting security settings.|
The vendor has released a fixed version (3.01), available at:|
Vendor URL: www.adobe.com/svg/overview/whatsnew.html (Links to External Site)
Access control error, State error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: [VulnWatch] Adobe SVG Viewer Active Scripting Bypass (GM#002-MC)|
GreyMagic Security Advisory GM#002-MC
By GreyMagic Software, Israel.
07 Oct 2003.
Available in HTML format at http://security.greymagic.com/adv/gm002-mc/.
Topic: Adobe SVG Viewer Active Scripting Bypass.
Discovery date: 19 Aug 2003.
Adobe SVG Viewer (ASV) 3.0 and prior.
Note that any other application that embeds ASV is affected as well,
including the WebBrowser control. Therefore, any application that makes use
of the WebBrowser control is vulnerable (Internet Explorer, AOL Browser, MSN
Scalable Vector Graphics (SVG) is a relatively new XML-based language for
creating and controlling vector graphics. The language was standardized and
endorsed by the WWW Consortium (W3C).
Several SVG parsers and renderers have been released as browser plugins, but
the most popular of them all is Adobe SVG Viewer (ASV). According to Adobe:
"Adobe SVG Viewer 3.0 is available in 15 languages and many millions of
viewers have already been distributed worldwide."
SVG documents may be manipulated by script, through a full Document Object
Model that the plugin exposes. In order to achieve an independent method of
manipulation, ASV creates an instance of the Microsoft JScript engine, which
is then used to parse and execute script blocks that appear in the document.
When parsed in the browser environment, SVG documents are able to interact
with the containing HTML document by using the "parent" property. By
referring to the HTML document, script running in the SVG document is able
to fully control the parent's content.
The problem is that ASV completely disregards the browser's Active Scripting
settings. Thereby, making it easy for attackers to utilize scripting
abilities and HTML DOM manipulations without having to rely on Active
Scripting being enabled by the user. Many users choose to disable Active
Scripting in the browser for security reasons, since even though Active
Scripting isn't in itself a threat (in most cases), it happens to be a major
component in browser-based attacks.
We put together a proof of concept demonstration, which can be found at
GreyMagic brought this issue to Adobe on 21-Aug-2003. They have devised a
patched version (ASV 3.01) and made it available on the official ASV
download site at http://www.adobe.com/svg/viewer/install/mainframed.html.
Adobe SVG Viewer 3 Build 76.
The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind.
GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory.
- Copyright ) 2003 GreyMagic Software.