Fast-Forward: JavaScript API Exploits

The following is a guest post by Chris Markman, Academic Technology Specialist at Clark University, where he presses the “fast-forward button” on Hacker Conference videos to give you a summary of the talk in a condensed format, with direct links to resources mentioned in the talk. New posts are available each month in the Security Matters blog column.

"Abusing Adobe Reader's JavaScript APIs" is a panel presentation from three members of HP's Zero Day Initiative program that was delivered at DEF CON 23, held August 6–9, 2015, in Las Vegas.

It's worth noting that portions of this talk, including the number of known Adobe Acrobat Reader API exploits, were time sensitive and may have been patched at the time of this blog post. Right around the 4-minute mark they explain how during their research, many patches have come out from Adobe that claim to fix this problem, but the team and their bug bounty program continue to find exploits. The exploits appear to be plentiful. During the presentation Brian Gorenc (@Maliciousinput) mentions that they found a new JavaScript exploit while the group was in the airplane on the way to the conference.

It's also worth noting that it is very easy to disable JavaScript in Acrobat with a few clicks; however, it is enabled by default, and the most vulnerable users continue to be the folks who do not update to the latest version of this free software or have disabled autoupdate notifications entirely. Thirty minutes into the talk, Abdul-Aziz Hariri (@abdhariri) also explains which versions are affected — this information is not included in the slides provided on the DEF CON website. To summarize: Mac OS X is extremely vulnerable, and the "Pro" version in Windows is (or was) too.

As a final caveat, the Adobe Acrobat exploits described in this talk require users to open the malicious PDF, either accidentally or intentionally through social engineering. Once they do this, the exploits are "chained" in a way to execute "cleanly" in the background without the user noticing any interruption. This is a departure from memory corruption or fuzzing techniques that the presenters note as having less predictable behavior in the wild, and these JavaScript API exploits are far more sinister because it all occurs transparently to end users.

At 12 minutes in, Jasiel Spelman (@WanderingGlitch) explains how the team discovers these exploits. If you are familiar with JavaScript, this section of the presentation is worth your time. If not, the takeaway is that they found many undocumented API calls, and the undocumented ones make it a lot easier to elevate privileges. Readers of January's Fast-Forward blog post may note that this "known unknown" element is very similar to the problems security professionals face with shadow IT and shadow data. It can perhaps serve as a reminder that when we talk about data privacy, the discussion should include proactive data discovery and auditing as key elements.

For a full wrap-up of this talk, concluding remarks begin at minute 34, which are preceded by a live demo of the exploits in Window 8.1 and Mac OS X.


Chris Markman has been blogging about technology since 2008, first as a volunteer for the Participatory Culture Foundation and later as an MSLIS student at Simmons College and MSIT student at Clark University. Prior to joining the Academic Technology Services team at Clark University in 2014, he managed a film and music library in the Visual and Performing Arts department. Markman is a member of the New England Archivists professional group and several artist collectives in the city of Worcester, Massachusetts.

© 2016 Christopher Markman. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.