Adobe Systems said users can reconfigure Adobe Reader and Acrobat to mitigate a new attack technique that allows malicious code to be executed without exploiting an actual vulnerability in the software.
Adobe Systems is recommending that concerned users reconfigure the settings
in Adobe Reader to thwart an attack
that allows embedded executables
in PDF files to launch.
The situation was uncovered by security researcher Didier Stevens, who
developed a proof-of-concept demonstrating how an attack could leverage launch
action functionality in PDF viewing software to run embedded executables.
The issue prompted Foxit Software to release
for Foxit Reader that generates a warning if an embedded
executable tries to launch.
However, Foxit's fix seems to have an inadvertent side effect, Stevens
"The interesting thing about this fix is that it breaks my Foxit PoC, but
that the Adobe PoC works for Foxit now! This means that Foxit Software changed
the way arguments are passed to the launched application," he
wrote on his blog
Adobe Reader was already designed to trigger an alert in the event an
embedded executable tried to launch. However, Stevens showed it was possible to
alter part of the warning dialog box and suggested users could be tricked into
allowing a malicious executable to run with a little social engineering.
a blog post
Tuesday night, Steve Gottwals, group product manager for Adobe
Reader, recommended users reconfigure the product to block possible attacks.
After clicking on "Edit," consumers should go to the "Preferences"
panel and click on "Trust Manager" in the left pane. From there, they need only
clear the check box that reads: "allow opening of non-PDF file attachments
with external applications," he said.
According to Gottwals, administrators can address the problem through the
registry settings on Windows by setting
HKEY_Current_Users\Software\Adobe\Acrobat Reader\(version being
used)\Originals\bAllowOpenFile (DWORD) to 0.
Administrators can also block end users from turning the capability on by
setting HKEY_Current_Users\Software\Adobe\Acrobat Reader\(version being
used)\Originals\bSecureOpenFile (DWORD) to 1.
"These samples assumed you were adding registry settings to Adobe Reader,"
he blogged. "For Adobe Acrobat, you would replace 'Acrobat Reader' with 'Adobe
The technique is not known to have been used in the wild to target
users, an Adobe spokesperson said. While Adobe has not promised any type
of update for the issue-which both Stevens and Adobe consider an abuse of
functionality more than an actual vulnerability-Gottwals wrote that discussions
about the situation are ongoing.
"We are currently researching the best approach for this functionality in
Adobe Reader and Acrobat, which we could conceivably make available during one
of the regularly scheduled quarterly product updates," Gottwals noted.