Adobe Systems is recommending that concerned users reconfigure the settings in Adobe Reader to thwart an attack that allows embedded executables in PDF files to launch.
The situation was uncovered by security researcher Didier Stevens, who developed a proof-of-concept demonstrating how an attack could leverage launch action functionality in PDF viewing software to run embedded executables. The issue prompted Foxit Software to release an update for Foxit Reader that generates a warning if an embedded executable tries to launch.
However, Foxit’s fix seems to have an inadvertent side effect, Stevens noted.
“The interesting thing about this fix is that it breaks my Foxit PoC, but that the Adobe PoC works for Foxit now! This means that Foxit Software changed the way arguments are passed to the launched application,” he wrote on his blog.
Adobe Reader was already designed to trigger an alert in the event an embedded executable tried to launch. However, Stevens showed it was possible to alter part of the warning dialog box and suggested users could be tricked into allowing a malicious executable to run with a little social engineering.
In a blog post Tuesday night, Steve Gottwals, group product manager for Adobe Reader, recommended users reconfigure the product to block possible attacks. After clicking on “Edit,” consumers should go to the “Preferences” panel and click on “Trust Manager” in the left pane. From there, they need only clear the check box that reads: “allow opening of non-PDF file attachments with external applications,” he said.
According to Gottwals, administrators can address the problem through the registry settings on Windows by setting HKEY_Current_UsersSoftwareAdobeAcrobat Reader(version being used)OriginalsbAllowOpenFile (DWORD) to 0.
Administrators can also block end users from turning the capability on by setting HKEY_Current_UsersSoftwareAdobeAcrobat Reader(version being used)OriginalsbSecureOpenFile (DWORD) to 1.
“These samples assumed you were adding registry settings to Adobe Reader,” he blogged. “For Adobe Acrobat, you would replace ‘Acrobat Reader’ with ‘Adobe Acrobat.'”
The technique is not known to have been used in the wild to target users, an Adobe spokesperson said. While Adobe has not promised any type of update for the issue-which both Stevens and Adobe consider an abuse of functionality more than an actual vulnerability-Gottwals wrote that discussions about the situation are ongoing.
“We are currently researching the best approach for this functionality in Adobe Reader and Acrobat, which we could conceivably make available during one of the regularly scheduled quarterly product updates,” Gottwals noted.