Adobe Considers Next Step While Zeus Exploits PDF Security Issue | eWeek

Adobe Considers Next Step While Zeus Exploits PDF Security Issue

Écrit par
Brian Prince
Brian Prince
Apr 17, 2010
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Adobe Systems has not made a decision whether to change its approach to the launch action feature in Adobe Reader now being abused in a malware attack.

A spokesperson for Adobe told eWEEK Friday the company is still evaluating if it will do anything to address a design issue that is being roped into an attack campaign infecting users with the Zeus Trojan. According to Websense, attackers have been sending e-mails with a malicious PDF file. The attack is similar to a technique security researcher Didier Stevens disclosed roughly two weeks ago that used the launch action function to launch an embedded executable in a PDF file.

Stevens’ proof-of-concept triggered a warning dialog in Adobe Reader, and Foxit Software updated its Foxit Reader recently to provide a warning as well. According to Adobe spokesperson Wiebke Lips, the warning provided by the company’s software contains “strong wording advising users to only open and execute the file if it comes from a trusted source.”

“This is an example of powerful functionality relied on by some users that also carries potential risks when used incorrectly,” Lips has said.

While the attack reported by Websense is similar to that of Stevens, it appears technically to use a Metasploit module developed last year.

“The Metasploit Framework has had support for the PDF Launch method since August of 2009, when Colin Ames of Attack Research released the module as part of his Black Hat USA presentation,” said HD Moore, founder of the Metasploit project and chief security officer at Rapid7. “The technique to hide the malicious command was disclosed by Didier Stevens when he independently found this feature in late March.”

According to Websense, the attack works this way: Users receive a malicious PDF file which contains the threat as an embedded file. When recipients open the PDF, it asks them to save a file called Royal_Mail_Delivery_Notice.pdf, which is actually a Windows executable.

“The file you would be saving is the hidden embedded Trojan, which then launches automatically,” explained Carl Leonard, senior research manager at Websense Security Labs.

Once the malicious PDF launches the dropped file and takes control of the computer, it connects to an attack server in China, he said.

Zeus is best known as a data-stealing Trojan targeting online banking information. It is widely available on hacker forums, with variants selling from a few hundred to several thousand dollars.

While Adobe considers whether or not it will adjust the launch action feature or leave it as is, there are a few steps users concerned about the issue can take to protect themselves.

“There are a three simple things home users can do to protect themselves,” Moore advised. “The first and foremost is to ensure that their copy of Adobe Reader is updated with the latest patches. The Launch action requires user confirmation, but many of the previous Reader vulnerabilities required no action at all on the user’s side.

“The second thing is to disable Javascript within Adobe Reader … [and] the final thing is to change the Trust settings within Adobe Reader to prevent external, non-PDF attachments from being launched,” he said.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.