Adobe issues official workaround for PDF vulnerability
Adobe has confirmed the vulnerability in its Adobe Reader product and proposed a workaround. The 'Launch Actions/Launch File' function allows the launching of scripts or .exe files embedded in PDF files, indeed this option is part of the PDF specification. The vulnerability can also, in principle, be exploited to spread PDF worms, as demonstrated in a video from blogger Jeremy Conway.
The vendor is advising users to deactivate the "Allow opening of non-PDF file attachments with external applications" option under Edit/Preferences/Trust Manager. This option is activated by default. After disabling this option, the demo exploit is no longer able to launch a command line when opened in Adobe Reader. Adobe Acrobat is also affected by the problem and can also be protected by deactivating this option.
Adobe is advising administrators to generate the following registry key on users' systems to deactivate this option:
To ensure that users are not able to reactivate this option, it can be greyed out as follows:
Adobe is still looking into whether it will be possible to fix this problem by means of an update. Adobe considers this to be a useful function which only becomes a problem when used incorrectly. According to a blog entry from Adobe product manager Steve Gottwals, Adobe Reader warns users that they should only launch files from trusted sources.
Foxit Software has also now released an update to fix the problem in its Foxit Reader. The problem in Foxit was somewhat more critical, as it failed to warn users and no option to deactivate attachments was available. The new version of Foxit now warns users before executing files.
It has also become apparent that the insight that the ability to run scripts or execute .exe files embedded in PDFs represents a possible vulnerability is old hat. Foxit Software was made aware of the problem more than a year ago. Security services provider Core Security and security specialist Thierry Zoller independently discovered the vulnerability and published demo exploits in early 2009 (details here and here).
- PDF exploit requires no specific security hole to function, a report from The H.
- New version of Foxit closes executable security hole, a report from The H.