GreyMagic Security Advisory GM#002-MC
=====================================

By GreyMagic Software, Israel.
07 Oct 2003.

Available in HTML format at http://security.greymagic.com/adv/gm002-mc/.

Topic: Adobe SVG Viewer Active Scripting Bypass.

Discovery date: 19 Aug 2003.

Affected applications:
======================

Adobe SVG Viewer (ASV) 3.0 and prior. 

Note that any other application that embeds ASV is affected as well,
including the WebBrowser control. Therefore, any application that makes use
of the WebBrowser control is vulnerable (Internet Explorer, AOL Browser, MSN
Explorer, etc.). 


Introduction:
=============

Scalable Vector Graphics (SVG) is a relatively new XML-based language for
creating and controlling vector graphics. The language was standardized and
endorsed by the WWW Consortium (W3C). 

Several SVG parsers and renderers have been released as browser plugins, but
the most popular of them all is Adobe SVG Viewer (ASV). According to Adobe:
"Adobe SVG Viewer 3.0 is available in 15 languages and many millions of
viewers have already been distributed worldwide." 


Discussion: 
===========

SVG documents may be manipulated by script, through a full Document Object
Model that the plugin exposes. In order to achieve an independent method of
manipulation, ASV creates an instance of the Microsoft JScript engine, which
is then used to parse and execute script blocks that appear in the document.

When parsed in the browser environment, SVG documents are able to interact
with the containing HTML document by using the "parent" property. By
referring to the HTML document, script running in the SVG document is able
to fully control the parent's content. 

The problem is that ASV completely disregards the browser's Active Scripting
settings. Thereby, making it easy for attackers to utilize scripting
abilities and HTML DOM manipulations without having to rely on Active
Scripting being enabled by the user. Many users choose to disable Active
Scripting in the browser for security reasons, since even though Active
Scripting isn't in itself a threat (in most cases), it happens to be a major
component in browser-based attacks. 


Demonstration:
==============

We put together a proof of concept demonstration, which can be found at
http://security.greymagic.com/adv/gm002-mc/.


Solution: 
=========

GreyMagic brought this issue to Adobe on 21-Aug-2003. They have devised a
patched version (ASV 3.01) and made it available on the official ASV
download site at http://www.adobe.com/svg/viewer/install/mainframed.html.


Tested on: 
==========

Adobe SVG Viewer 3 Build 76.


Disclaimer:
===========

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind. 

GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory. 

- Copyright © 2003 GreyMagic Software.