Another one - IE bug leaks private details from 50m PDF files

[Broni]

http://www.theregist...disclosure_bug/

A bug in Microsoft's Internet Explorer browser is causing more than 50 million files stored online to leak potentially sensitive information that could compromise user privacy, a security researcher said.

The documents stored in Adobe's PDF format display the internal disk location where the file is stored, an oversight that can inadvertently expose real-world names and login IDs of users, the operating system being used and other information that is better kept private. The data can then be retrieved using simple web searches

Google searches such as this one expose almost four million documents residing on users' C drives alone. Combined with searches for other common drives, the technique exposes more than 50 million files that display the local disk path, according to Inferno, a security researcher for a large software company who asked that his real name not be used.

"If they have those kind of PDFs, somebody can use search engines to find out user names or do more reconnaissance on the operating systems used," he told The Register. "That actually invades the privacy of a user."

The potentially sensitive data is included in PDFs that have been printed using Internet Explorer. The full path location is appended to its contents as soon as the Microsoft browser is used to print the document. Although the data isn't always exposed when the document is viewed with Adobe Reader, it is easily readable when the file is opened in editors such as Notepad, and the text is also available to Google and other search engines.

This PDF, for example, was stored at C:\Program Files\Wids7\WizardReport.htm at time of printing. The path makes it clear that the file was stored on a Windows machine that has software from Worldwide Instructional Design System installed. Other PDFs give up directory names that reveal authors, projects or other data that may have been designated confidential.

The only way to remove the path is erase the text in an editor and save the document.

All versions of IE suffer from the bug. A Microsoft spokeswoman said company engineers are working to reproduce the reported behavior. "We can confirm that this is not a vulnerability," she wrote in an email.

Adobe representatives didn't reply to requests for comment. Inferno's report is here.

[patio]

MS should just resign from the Browser market...

[Boozu]

I'm a little confused. When you open a PDF in IE it rights to the file what the directory is in and then you can read that and learn things about the host computer?

it is easily readable when the file is opened in editors such as Notepad, and the text is also available to Google and other search engines.

That means at some time the directory is written to the PDF. Right? that sounds more like a problem with adobe to me.

What am I missing? Is it saying that opening a PDF is dangerous, or hosting a PDF file online allows people access to the directory info?

[Broni]

MS should just resign from the Browser market...

Now, you're talking

Boozu

That means at some time the directory is written to the PDF. Right? that sounds more like a problem with adobe to me.

Not really.
That data is shown only, if:

The potentially sensitive data is included in PDFs that have been printed using Internet Explorer.

[Boozu]

Broni. OK but you said that the directory could be read if you opened it in something like note pad. What did you mean if it is not written to the PDF.

Is this a threat to the person using IE or the PDF host?

[Broni]

OK, this is how I read it.
If you created PDF file and you uploaded it to some on-line storage, using IE, then some of your sensitive data can be exposed ("that can inadvertently expose real-world names and login IDs of users, the operating system being used and other information that is better kept private. The data can then be retrieved using simple web searches").

[BC_Programmer]

This is not a BUG in IE. It is a problem with the whole concept involved with HOOKING a printer into something else- such as a driver that "prints" to a PDF file.

The fact that IE prints the source file is not a problem with IE, since as far as IE is concerned it is printing to paper; not something that would be necessarily insecure. The problem is with the architecture used to make these PDF files; IE does have a Extensibility interface that would be far more useful in this respect; creating a psuedo-printer to create PDF files is bound to cause a problem down the line since all programs using it will, for all intents and purposes, believe they are printing to paper.

[Boozu]

Broni. That is very interesting.

BC. I like to hear that. Does this mean that it happens with other browsers too?

[kpac]

To make a PDF file, a virtual printer is installed. doPDF is an example but all use the same idea. To use it, just browse to a page, go to print and select the doPDF printer. This will then create a PDF of the webpage you were looking at.

That's basically how it works.

[Geek-9pm]

It is more that a bug. It is a major security flaw. 
The original source is The Register.

http://www.theregister.co.uk/2009/11/23/internet_explorer_file_disclosure_bug/

http://www.internet-security.ca/internet-security-news-024/internet-explorer-security-hole-leaks-private-information-from-pdf-files.html

http://securitytracker.com/alerts/2009/Nov/1023233.html

http://www.securitynewsportal.com/securityblogs/article.php?title=Millions_Of_PDF_Files_Leak_Private_Data_Due_To_Internet_Explorer_Bug

Netscape anyone?