Tag Archives: javascript

[Linux] Demo Exploits for Acrobat in the wild

According to SecurityFocus Adobe Acrobat Reader has been compromised by using a JavaScript buffer overflow.Demo exploits have already been located on the internet. It may only be a matter of time until this exploit gets used by the botnet guys. Pay attention which PDF documents you really need to open on the net.

Description

Acrobat Reader’s getAnnots() Javascript is vulnerable to remote code execution. Arbitrary code can be run with the user’s privileges, thus circumventing Acrobat Reader’s security system.

Affected Versions

Demo Exploits are in the wild for

  • Linux Acrobat Reader 8.14
  • Linux Acrobat Reader 9.1

Other operating system may also be affected.

Workaround

As there is no patch available by Adobe at this moment, uninstalling the Acrobat Reader seems to be the best choice. Third party PDF readers are available all over the net. Find one of them here.

[Anonymity] How To Protect Email Addresses against Spam

The Novel

Since the very beginning of the internet in its occurence as the world wide web (www) in the mid of the 1990s there were bad guys.Those bad guys rapidly realized how to make a quick buck out of the technological inexperience of the new inhabitants of the www. It was the days when people had their first contact with HTML. First projects were showing the people’s dogs and the family and looked kinda ugly – from nowadays view.

So people began to show parts of their privacy to the masses almost without fully realizing that their website from now on was visible all over the world. And they added a contact @ character, hoping that other cool people would send them emails and telling them how cool the website about their dog is. But the people didn’t anticipate the guys who knew how to make money from pulling a fast one on others.

One of the first things the bad guys noticed was the fact that the principle of bulk mails could be easily transferred to the internet. So the bad guys began to manually collect email addresses from the websites of the dogowners and all the others. But what to advertise via email? We nowadays know how this question was answered. Those bad guys began to setup porn websites. They often used illegally copied photos of naked women or sex scenes from magazines.

They sent the dogsowners and all the others invitations for porn- or erotics-sites and appealed to their sexual drives. Many of the early days’ porn site operators were email address collectors themselves. They knew porn would sell till the end of mankind.

It didn’t take long and someone improved the way of collecting email addresses. He coded a robot (spam spider) who was able to scan the websites and search for those two HTML tags:

  • <a href="http://www.linktonextsite.org">Link To Next Site</a>
  • <a href="mailto:mymailaddress@mywebsite.org">Send me a Mail</a>

I bet you can already smell how the story went on. The email addresses were written automatically into databases. And while the internet was growing and the amount of websites escalated virtually thru the roof the amount of people who understood to make a living from sending porn, erotic and viagra mails to the people also increased.

Although the novel above may not be 100% historical accurate, the problem of spam nowadays has become even worse.

Today it is estimated that 90% of the emails sent around the globe are spam.

What can we do about it?

Fight Spam Technically

As we’ve seen how the system works. Bad guys use automated robots to search the www for exploitable email addresses and write them back into their databases. So as a website operator the one and only question to take into consideration is: how to hide the email addresses?

Some time ago we’ve found a very nice way, that we are using for quite some years. We don’t know where we found it – otherwise we would credit the guy who wrote it.

Instead of using

  • <a href="mailto:mymailaddress@mywebsite.org">Send me a Mail</a>

we slightly obfuscate the email address by using Javascript. Every webbrowser nowadays perfectly understands Javascript, Ajax and even more. See here what we do:

  • <a href="#" onclick="mp='@';mp='mymailaddress'+mp;mp+='mywebsite.org';this.href=mp;">Send me a Mail</a>

So what’s happening here?

This integrated javascript reacts after you clicked on the “Send me a Mail” link. It then uses the temporary variable mp to reassemble your email address. By not putting the email address as a string into your HTML source of your website this scripts prevents (almost) any spam robot to recognize your email address. As a matter of course we recommend to use this technique from the first day a website is on the internet.

You can easily modify this javascript by changing the variable to another name or by changing the order.

We hope you had some fun in this lesson and appreciate your feedback.