Hyperdose Security Advisory

Name: Local file detection found through Adobe Reader ActiveX control 
Systems Affected: Adobe Reader 7.0 and earlier
Severity: Low
Author: Robert Fly - robfly@hyperdose.com 
Advisory URL: http://www.hyperdose.com/advisories/H2005-06.txt

--Adobe Description--
>From Adobe.com, "Adobe helps people and businesses communicate better
through its world-leading digital imaging, design, and document technology
platforms for consumers, creative professionals, and enterprises.".  

--Bug Details--
Adobe Reader contains a Safe for Scripting method with the definition of
VARIANT_BOOL LoadFile([in] BSTR fileName).  A malicious user can take
advantage of this if they can get their victim to navigate to their
malicious website.  On the website, the attacker can call the LoadFile
method, passing in a local file name on their victim's computer.  Using this
method, the attacker is able to determine file existence on their victim's
machine.  Through this method it is not possible to extract the content of
the file.

This attack would be useful as a stepping stone to further attacks.  Knowing
the existence of a local file an attacker can gain knowledge as to the
software and likely versions of software the individual is using.

NOTE: This bug was discovered by NISCC in parallel prior to the fix release.

--Fix Information--
Upgrade info and further details from Adobe can be found here:
http://www.adobe.com/support/techdocs/331465.html
This fix was originally posted on 4/1/05.

--About Hyperdose--
Hyperdose Security was founded to provide companies with application
security knowledge through all parts of an application's security
development lifecycle.  We specialize in all phases of software development
ranging from security design and architectural reviews, security code
reviews and penetration testing.

web   www.hyperdose.com 
email robfly@hyperdose.com