Adobe Systems said users can reconfigure Adobe Reader and Acrobat to mitigate a new attack technique that allows malicious code to be executed without exploiting an actual vulnerability in the software.
Adobe Systems is recommending that concerned users reconfigure the settings
in Adobe Reader to thwart an
attack
that allows embedded executables in PDF files to launch.
The situation was uncovered by security researcher Didier Stevens, who
developed a proof-of-concept demonstrating how an attack could leverage launch
action functionality in PDF viewing software to run embedded executables.
The issue prompted Foxit Software to
release
an update for Foxit Reader that generates a warning if an embedded
executable tries to launch.
However, Foxit's fix seems to have an inadvertent side effect, Stevens
noted.
"The interesting thing about this fix is that it breaks my Foxit PoC, but
that the Adobe PoC works for Foxit now! This means that Foxit Software changed
the way arguments are passed to the launched application,"
he
wrote on his blog.
Adobe Reader was already designed to trigger an alert in the event an
embedded executable tried to launch. However, Stevens showed it was possible to
alter part of the warning dialog box and suggested users could be tricked into
allowing a malicious executable to run with a little social engineering.
In
a blog post Tuesday night, Steve Gottwals, group product manager for Adobe
Reader, recommended users reconfigure the product to block possible attacks.
After clicking on "Edit," consumers should go to the "Preferences"
panel and click on "Trust Manager" in the left pane. From there, they need only
clear the check box that reads: "allow opening of non-PDF file attachments
with external applications," he said.
According to Gottwals, administrators can address the problem through the
registry settings on Windows by setting
HKEY_Current_Users\Software\Adobe\Acrobat Reader\(version being
used)\Originals\bAllowOpenFile (DWORD) to 0.
Administrators can also block end users from turning the capability on by
setting HKEY_Current_Users\Software\Adobe\Acrobat Reader\(version being
used)\Originals\bSecureOpenFile (DWORD) to 1.
"These samples assumed you were adding registry settings to Adobe Reader,"
he blogged. "For Adobe Acrobat, you would replace 'Acrobat Reader' with 'Adobe
Acrobat.'"
The technique is not known to have been used in the wild to target
users, an Adobe spokesperson said. While Adobe has not promised any type
of update for the issue-which both Stevens and Adobe consider an abuse of
functionality more than an actual vulnerability-Gottwals wrote that discussions
about the situation are ongoing.
"We are currently researching the best approach for this functionality in
Adobe Reader and Acrobat, which we could conceivably make available during one
of the regularly scheduled quarterly product updates," Gottwals noted.
Email
Print
