Full Title: Backdooring File Type X or Making a program do what it’s supposed to do…
Original Posting: http://www.computerdefense.org/?p=110

You know what I’m fed up with… people making “security” related discoveries that aren’t really discoveries… they’re just common sense….

There are two guilty parties here that I’m extremely unhappy with: David Kierznowski and pdp. David actually made the news for his Backdooring PDFs blog…. pdp has had several Backdooring .Mov, Backdooring Flash, and Backdooring MP3s..

Let’s take a look at each of these..

* PDF - Portable Document Format - A Document that is entirely self-contained and cross platform… These documents have to, essentially, be “compiled” from other documents… sort of like an executable being compiled from source code. It would make sense that they support their own programming language, which in this case happens to be a javascript variant. This isn’t a software flaw, it’s functional software being utilized completely for malicious reasons.
* MOV - Movile Files - These files quite commonly open a link to the artists page or the movies page… They have the ability to open a link and that’s exactly what they are doing.
* Flash - This was one I really enjoyed reading… How Flash could have a trojan or virus contained in it… and then he demonstrates a javascript alert… Again… the program opening a page exactly like it was written to do.
* MP3 - MPEG-1 Audio Layer 3 - This was my favourite one… this isn’t actually MP3s… it’s playlist files that can be named mp3.. So a whole lot of FUD over nothing. If an MP3 is 100 bytes and advertises itself as a full song… obviously it isn’t.. Again though, it’s a playlist file functioning as it is supposed to.

Everyone of these blog posts by both of them is nothing more than FUD generation. The fact that they invested so much time into these “vulnerabilities’ tells me something about the…. something I think everyone can come to on their own without me mentioning it.

Then there’s the issue of calling these backdoors… Do they know what a backdoor is… by definition this is not a backdoor

A backdoor in a computer system (or a cryptosystem, or even in an algorithm) is a method of bypassing normal authentication or obtaining remote access to a computer, while intended to remain hidden to casual inspection. The backdoor may take the form of an installed program (e.g., Back Orifice) or could be a modification to a legitimate program.

These people really make me wonder… why not a new one on how to backdoor an exe by writing the source code and compiling it. These all rely on the fact that your browser allows javascript to execute (except perhaps the PDF one because Acrobat includes it’s own version of javascript)… These should be called “Covert ways to enter a javascript statement into a browser”… They aren’t vulnerabilities and they are not backdoors… They are legitimate uses of the software. Another interesting note is that each time they refered to a file format… However the PDF “backdoor” requires Acrobat… it doesn’t work on other PDF Readers… the MP3 “backdoor” requires Quicktime and the browser plugin (since it’s the browser that actually executes the javascript) and like I mentioned it’s not actually MP3s but renamed playlist files. The MOV one is another example that requires Quicktime and more specifically the quicktime plugin…

Perhaps the message should be — Don’t allow your browser to execute javascript without your permission…. or don’t open files you don’t trust… but to suggest an inherent flaw in either a file format or a type of software because it’s doing what it’s supposed to do…

Consider this my security advisory — Programs do what they are coded to do… and you may not be aware of all their functionality.