Security News > 2022 > May > Researchers find 134 flaws in the way Word, PDFs, handle scripts

Security researchers have devised a tool that detects flaws in the way apps like Microsoft Word and Adobe Acrobat process JavaScript, and it's proven so effective they've found 134 bugs - 59 of them considered worthy of a fix by vendors, 33 assigned a CVE number, and 17 producing bug bounty payments totaling $22,000.

Making that happen requires the PDF both to define native PDF objects and to parse JavaScript code.

Xu said Cooper can find such flaws because the cooperative mutation technique it uses "Simultaneously modifies the script code and the related document objects to explore various code paths of the binding code." That approach contrasts with other defensive techniques that check for flaws in scripts.

To reduce the object search space, Cooper categorizes objects into different classes based on their attributes.

Based on the success rate of the script execution and the distribution of object classes, Cooper infers the relationships between API groups and object classes.

Relationship-Guided Mutation Finally, Cooper leverages the inferred relationship to guide the object selection, script generation and object mutation.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/05/13/cooperative_mutation_flaw_finder/