So, your users happily use FireFox for browsing the Internet, thinking they are safe from any IE 0dayz… after all IE vulnerabilities only affect IE right? Unfortunately, the situation isn’t that simple. In some cases, it is possible to control seemingly unrelated applications on the user’s machine through the browser. As an example (I hesitate to call this a bug, although I did report the behavior to various vendors) we can use various browser plugins to jump from FireFox to Internet Explorer and have Internet Explorer open an arbitrary webpage.
- Requirements: Firefox, Internet Explorer, and Adobe PDF Reader (v9 or X)
- Set the default browser to Internet Explorer (common in many enterprises)
- Open Firefox and browse to the following PDF in Firefox: http://xs-sniper.com/sniperscope/Adobe/BounceToIE.pdf
Firefox will call Adobe Reader to render the PDF, Adobe Reader will then call the default browser and pass it a URL, the default browser (IE) will render the webpage passed by the PDF.
The example I provide simply jumps from Firefox to IE and loads http://xs-sniper.com/blog/, however I’m free to load any webpage in IE. To be fair, we can substitute Firefox for Safari or Opera and it will still work.
Achieving this is simple. We use a built-in Adobe Reader API called app.launchURL(). Looking at the documentation for the launchURL() API, we see that launchURL() takes two parameters: cURL (required) and bNewFrame (optional). cURL is a string that specifies the URL to be launched and bNewFrame provides an indication as to whether cURL should be launched in a “new window of the browser application”. In this case, “new window of the browser application” really means the default browser.
A simple one liner in Adobe Reader JavaScript gets it done:
app.launchURL("http://xs-sniper.com/blog/",true);
Happy hunting…
