Three vulnerabilities have been identified in Adobe SVG Viewer allowing malicious people to gain system access.

1) Websites are able to execute Active Scripting even if this has been disabled in Internet Explorer. The reason is that Adobe SVG launches its own instance of the Microsoft JScript engine. By using the parent property, it is possible to interact with the parent document. This effectively bypasses the "Active Scripting" configuration of Internet Explorer.

2) The "postURL" and "getURL" methods allows asynchronous HTTP requests to the server. These requests are restricted so that they can only access resources within the same domain. However, if the request is redirected to a local or remote file in the Local Zone or a different domain, the information may still be requested. This allows malicious sites to steal cookies and other information from other sites or to see local files (local file access is only possible in Internet Explorer 6 without SP1).

3) When a document issues an "alert" prompt, the script is halted until the user accepts. However, a different thread can change the URL of the window while waiting for user input. The initial script now has access to the new parent object, which potentially could allow access to the Local Zone including execution of arbitrary code.

The vulnerabilities have been reported in version 3.0 and earlier.

Solution
Update to version 3.01:
Further details available in Customer Area

Provided and/or discovered by
GreyMagic Security Research

Original Advisory
http://sec.greymagic.com/adv/gm004-mc/
http://sec.greymagic.com/adv/gm003-mc/
http://sec.greymagic.com/adv/gm002-mc/

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area