undefined | Better HN

0 pointsRunSet3y ago0 comments

A more meaningful security boundary might be making HTML viewers' ability to run arbitrary code an opt-in feature, rather than opt-out.

Imagine if every PDF viewer included a virtual machine that ran in the background while viewing the document.

0 comments

RodgerTheGreat3y ago

I have some bad news for you about PDF: https://opensource.adobe.com/dc-acrobat-sdk-docs/library/jsa...

saurik3y ago

Even better, every font renderer does! A couple of the PDF-based jailbreaks for iOS were actually bugs in the virtual machine used by font renderer to allow fonts to do programmatic hinting, and the PDF only really existed as a container to deploy the font and force it to deterministically render exactly what was required.

RunSetOP3y ago

I intuitively expected some trash like that from Adobe which is why I wrote "every PDF viewer" and not "Acrobat Reader".

capitainenemo3y ago

His "breakout" demo works in Chrome's viewer as well (and obviously FoxIt).

warkdarrior3y ago

Opt-in code execution is not a meaningful security mechanism because users do not have the expertise or information to answer a prompt like "Do you want to allow this web page to run code?"

a13692099933y ago

Prompts are not opt-in. Opt-in is moving the mouse to (say) the lower-right corner, clicking on the NoScript icon, and selecting "Temporarily allow example.com".

That's not a panacea, but it at least raises the bar from "get people to even briefly look at your attack site", to "come up with a at-least-vaguely-plausible excuse why your site needs to be handed a remote code execution vulnerability in order to function".

j / k navigate · click thread line to collapse