Adobe Issues Advice To Avoid PDF Security Attack

Adobe Systems has issued advice for worried users that requires a reconfiguration of the settings in Adobe Reader in order to thwart an attack that allows embedded executables in PDF files to launch.

The situation was uncovered by security researcher Didier Stevens, who developed a proof-of-concept demonstrating how an attack could leverage launch action functionality in PDF viewing software to run embedded executables. The issue prompted Foxit Software to release an update for Foxit Reader that generates a warning if an embedded executable tries to launch.

However, Foxit’s fix seems to have an inadvertent side-effect, Stevens noted.

“The interesting thing about this fix is that it breaks my Foxit PoC, but that the Adobe PoC works for Foxit now! This means that Foxit Software changed the way arguments are passed to the launched application,” he wrote on his blog.

Adobe Reader was already designed to trigger an alert in the event an embedded executable tried to launch. However, Stevens showed it was possible to alter part of the warning dialogue box and suggested users could be tricked into allowing a malicious executable to run with a little social engineering.

Meanwhile in a blog post Tuesday night, Steve Gottwals, group product manager for Adobe Reader, recommended users reconfigure the product to block possible attacks. After clicking on ‘Edit’, consumers should go to the ‘Preferences’ panel and click on “Trust Manager” in the left pane. From there, they need only clear the check box that reads: ‘allow opening of non-PDF file attachments with external applications,’ he said.

According to Gottwals, administrators can address the problem through the registry settings on Windows by setting HKEY_Current_Users\Software\Adobe\Acrobat Reader\(version being used)\Originals\bAllowOpenFile (DWORD) to 0.

Administrators can also block end-users from turning the capability on by setting HKEY_Current_Users\Software\Adobe\Acrobat Reader\(version being used)\Originals\bSecureOpenFile (DWORD) to 1.

“These samples assumed you were adding registry settings to Adobe Reader,” he blogged. “For Adobe Acrobat, you would replace “Acrobat Reader” with “Adobe Acrobat”.”

The technique is not known to have been used in the wild to target users, an Adobe spokesperson said. While Adobe has not promised any type of update for the issue – which both Stevens and Adobe consider an abuse of functionality more than an actual vulnerability – Gottwals wrote that discussions about the situation are ongoing.

“We are currently researching the best approach for this functionality in Adobe Reader and Acrobat, which we could conceivably make available during one of the regularly scheduled quarterly product update,” Gottwals noted.


Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

18 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

19 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

20 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

22 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

1 day ago