[Nanzikambe]

The lack of additional detail in this very sparse announcement really compromises users' ability to damage control effectively.

Would like to know if an installation is vulnerable if:

    1) If Applications, PDF is set to "Always ask"
    2) Ublock and/or privoxy are used
    3) Javascript is disabled
    4) pdfjs.previousHandler.alwaysAskBeforeHandling == false
    5) pdfjs.disabled == true

Also which advertising network and which Russian site would be helpful for blocklists.

[fukusa]

Hi,

I reported this 0-day. It used a PDF.JS same origin policy violation to access local files. You should be safe because you have javascript disabled and pdfjs.disabled set to true. There's no way for the script to run. It was on a international news website operating from Russia. The exploit was not on an ad network. The exploit was simply injected on every news article page through an iframe. Therefore I assume the news site was compromised. It could have been deliberately injected by the website operators, but I highly doubt it. The exploit targeted developers or tech-savvy people. On Linux, it targeted the contents of the ~/.ssh directory and some other sensitive files. I should say that I am not a security expert and I came across this 0-day by accident.

[stevenh]

Please identify the exact international news website. Was it rt.com?

[fukusa]

No it was not. I'm not sure if I should mention which website it was (yet). The exploit is still active. I am trying to get in touch with them to get it removed.

[gorhill]

> The exploit was simply injected on every news article page through an iframe

Was the "src" of the iframe 3rd-party to the web site? I want to know whether merely blocking 3rd-party iframes would also have prevented the exploit from working even if javascript is not blocked.

[fukusa]

Yes it was so it would have prevented the exploit from loading.

[Brybry]

Do you know if NoScript with javascript disabled but iframes allowed and pdfjs enabled would have stopped it?

A vulnerability test would be really nice but I understand why it doesn't exist yet.

[fukusa]

It would have stopped it. Js has to be active for the exploit script to run.

[Nanzikambe]

My thanks for reporting it and this clarification

[tombrossman]

Agreed, I use an ad blocker and have Firefox's PDF viewer disabled and I have no clue if I'm still vulnerable. At a minimum, I'd like to know if disabling the viewer is enough to mitigate the risk, or if popular add-ons like Adblock Plus, NoScript, or Privacy Badger are enough.

[616c]

Totally agreed. I use a few of those, and I have exempted pdf.js in the past because I would rather use that then native PDF readers on my work laptop, since Adobe Reader/Acrobat is a wonderfully famous vector.

Inquiring minds would like to know.