Egy digg nyomán az eWeek-en olvashatunk Ryan Naraine tolmácsolásában, hogy egy David Kierznowski nevű - "penetration testing expert" (ahh, de jó kis életcél, vö: Inetpub Certified Drink Master Professionals) - foglalkozású hacker
released proof-of-concept code and rigged PDF files to demonstrate how the Adobe Reader program could be used to launch attacks without any user action.
A hacker azt állítja, a kidolgozott technológia konkrét megvalósításával még nem találkozott. A közétett, és teljesen peccselt Acrobat Reader-ben megnyitható demoi:
elég veszélyes helyzetet írnak le. A dolgot persze az érintett cég kissebbíteni igyekszik.
Kierznowski said his interest in auditing PDF files for back doors comes from a fascination with the concept of "passive hacking."
"Active exploitation techniques such as buffer overflows are becoming more and more difficult to find and exploit ... The future of exploitation lies in Web technologies," he said, noting that internal users are often in a "relationship of trust" with the surrounding network.
Confirming a trend that sees Microsoft Office applications—Word, Excel, PowerPoint—used in zero-day attacks, Kierznowski sees a future of client-side hacking that expands the functionality of a service.
"This form of hacking merely manipulates the user's client to perform a certain function, effectively using the user's circle of trust," he said.
Posted
Sep 16 2006, 06:37 AM
by
Kurbli