how-to block ads
|
|
Uniqs:
585 |
Share Topic
 |
 |
|
|
|
SUMwarePremium
join:2002-05-21
kudos:2 | IE Bug Leaks Private Details From 50 Million PDF Files From The Register
23rd November 2009 - said by Dan Goodin :
A bug in Microsoft's Internet Explorer browser is causing more than 50 million files stored online to leak potentially sensitive information that could compromise user privacy, a security researcher said.
The documents stored in Adobe's PDF format display the internal disk location where the file is stored, an oversight that can inadvertently expose real-world names and login IDs of users, the operating system being used and other information that is better kept private. The data can then be retrieved using simple web searches.
Google searches such as this one expose almost four million documents residing on users' C drives alone. Combined with searches for other common drives, the technique exposes more than 50 million files that display the local disk path, according to Inferno, a security researcher for a large software company who asked that his real name not be used.
"If they have those kind of PDFs, somebody can use search engines to find out user names or do more reconnaissance on the operating systems used," he told The Register. "That actually invades the privacy of a user."
The potentially sensitive data is included in PDFs that have been printed using Internet Explorer. The full path location is appended to its contents as soon as the Microsoft browser is used to print the document. Although the data isn't always exposed when the document is viewed with Adobe Reader, it is easily readable when the file is opened in editors such as Notepad, and the text is also available to Google and other search engines.
This PDF, for example, was stored at C:\Program Files\Wids7\WizardReport.htm at time of printing. The path makes it clear that the file was stored on a Windows machine that has software from Worldwide Instructional Design System installed. Other PDFs give up directory names that reveal authors, projects or other data that may have been designated confidential.
The only way to remove the path is erase the text in an editor and save the document.
All versions of IE suffer from the bug. A Microsoft spokeswoman said company engineers are working to reproduce the reported behavior. "We can confirm that this is not a vulnerability," she wrote in an email.
Adobe representatives didn't reply to requests for comment. Inferno's report is here.
| | |
|
 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
 ·Shaw
| hmmmm sounds like someone is new to security? Lets see hacking 101 includes using Google (or any other search engine for that matter) as one of the best recon sources available for things like potentially juicy file locations. Second meta data isn't IE's doing or problem.
Sound like Dan Goodin needs to take the advanced script kiddie course and then he might start looking to see what other metadata is in those files as this is more what the linked article talks about »securethoughts.com/2009/11/milli···k-paths/
Meta data isn't an IE issue as its dependent on what the creating/editing software includes, and Meta data is one of those things that enables people/software to do a pile of things, so removing it would/might/whatever reduce functionality, a trade that a lot of people might not be willing to make. Now if your uber concerned about meta data, then one needs to remember to strip it out before publishing any file.
As for me most of my files have a creation path of:
C:\Users\Blake\Documents (yep I'm using Windows 7)
or if I really want to secure it I create it in
C:\Users\Betty\Documents (that will fool them for sure)
In short this isn't much of a security issue, other then some meta data might expose more then you wanted, but it has nothing to do with IE and so once again Dan Goodin proves he doesn't get security or even how computers/software/data works and perhaps should seek a different career then writing about computer security.
Blake
Luke never underestimate the power/value of notepad.....
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool | |
| reply to SUMware
Who cares? Files contain meta data, this is not new. | |
|
