Title: Adobe SVG Viewer Alert Method Zone/Domain Bypass Vulnerability
Severity: HIGH
Description:
Adobe SVG Viewer (ASV) is an application for viewing Scalable Vector Graphics (SVG) documents. It is available as a stand-alone product and may also be embedded in other applications such as web browsers.
ASV implements an alert() method for displaying interactive dialogs to users. The ASV alert() method is prone to a vulnerability that could permit script code to be executed in the context of a foreign domain or another Security Zone (in the case of the view being used as a plug-in for Internet Explorer). This could permit malicious script code to access the properties of foreign domains or to execute with the relaxed security restrictions associated with other browser Security Zones.
The source of the issue is that when an SVG document calls the alert() method, the current execution thread will pause and await user-supplied input. During this time, it is possible to start another execution thread which can load a window with the URI of a victim domain. When the initial execution thread resumes after the user responds to the alert dialog, the initial execution thread will continue but it will be possible to access properties of the victim domain. Int his manner, it will be possible to execute script code in the context of the victim domain. This could also be exploited to execute script code in the context of another Security Zone.
Potential attacks include theft of cookie-based authentication credentials from foreign domains, as well as controlling how sites are rendered to users. Executing malicious script in other Security Zones, such as My Computer, poses a more serious risk as it may facilitate attacks which allow local files to be read or written to and execution of arbitrary code. The attack vectors may vary depending on whether the viewer is operating on its own or used as a plug-in for Internet Explorer (or other browsers).
ASV 3.0 and prior are reported to be prone to this vulnerability.
Affected Products:
- Adobe SVG Viewer 3.0.0
References:
- GreyMagic: GreyMagic Security Advisory GM#004-MC
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
