2 min read

Researchers Find Several JavaScript Processing Flaws in Word, Adobe Acrobat, Other Apps

Vlad CONSTANTINESCU
Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Researchers Find Several JavaScript Processing Flaws in Word, Adobe Acrobat, Other Apps

Security researchers found 134 vulnerabilities in the way apps such as Adobe Acrobat and Microsoft Word handle JavaScript. Experts developed a tool to help them with the task and called it Cooper, in reference to "Cooperative mutation," a technique employed by the tool.

Of the 134 flaws identified by the app, 59 were considered fit to receive fixes by vendors, 33 received CVE numbers, and 17 yielded a total of $22,000 in bug bounty payments. During the Black Hat Asia conference in Singapore, Chinese Academy of Sciences' Ph.D. student Xu Peng, a co-author of the tool, said that certain apps, such as Word and Acrobat, allow scripting language input.

Xu elaborated that Adobe Acrobat permits PDF manipulation through JavaScript, which requires the document to define native PDF objects and parse JavaScript code. In this situation, Acrobat modules handle the native PDF objects, while a built-in JavaScript engine handles the scripts, and a "binding layer" translates the information.

The "cooperative mutation" technique the tool uses to identify flaws "simultaneously modifies the script code and the related document objects to explore various code paths of the binding code," according to Xu.

According to the project's GitHub page, the tool has three components:

  • Object Clustering: Cooper first extracts native objects by parsing sample documents, and categorizes objects into attribute-based classes to reduce object search space
  • Relationship Inference: The tool combines different API groups and object classes to produce a large number of documents, then records the execution results of embedded scripts. Cooper then infers the relationship between object classes and API groups based on the success rate of the distribution of object classes and script execution.
  • Relationship – Guided Mutation: Finally, the tool guides the script generation, object selection, and object mutation by leveraging the inferred relationship.

Two of the vulnerabilities Cooper detected, marked as CVE-2021-21028 and CVE-2021-21035, have CVSS severity scores of 8.8 and are both Use After Free Acrobat Reader DC vulnerabilities. These flaws could let an unauthenticated attacker execute arbitrary code remotely. Exploiting these vulnerabilities would require user interaction in that the victim would have to open a malicious file.

tags


Author



Right now

Top posts

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Internet Service Providers Help Spyware Vendor Infect iOS and Android Devices Internet Service Providers Help Spyware Vendor Infect iOS and Android Devices
Vlad CONSTANTINESCU

June 24, 2022

2 min read
QNAP NAS Devices Vulnerable to Remote Attacks Through Critical PHP Flaw Exploit QNAP NAS Devices Vulnerable to Remote Attacks Through Critical PHP Flaw Exploit
Vlad CONSTANTINESCU

June 23, 2022

2 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021 Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021
Filip TRUȚĂ

June 22, 2022

1 min read