In association with heise online

07 April 2010, 12:07

Adobe issues official workaround for PDF vulnerability

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Adobe PDF Logo Adobe has confirmed the vulnerability in its Adobe Reader product and proposed a workaround. The 'Launch Actions/Launch File' function allows the launching of scripts or .exe files embedded in PDF files, indeed this option is part of the PDF specification. The vulnerability can also, in principle, be exploited to spread PDF worms, as demonstrated in a video from blogger Jeremy Conway.

The vendor is advising users to deactivate the "Allow opening of non-PDF file attachments with external applications" option under Edit/Preferences/Trust Manager. This option is activated by default. After disabling this option, the demo exploit is no longer able to launch a command line when opened in Adobe Reader. Adobe Acrobat is also affected by the problem and can also be protected by deactivating this option.

Adobe is advising administrators to generate the following registry key on users' systems to deactivate this option:

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals
Name: bAllowOpenFile
Type: REG_DWORD
Data: 0

To ensure that users are not able to reactivate this option, it can be greyed out as follows:

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals
Name: bSecureOpenFile
Type: REG_DWORD
Data: 1

Adobe is still looking into whether it will be possible to fix this problem by means of an update. Adobe considers this to be a useful function which only becomes a problem when used incorrectly. According to a blog entry from Adobe product manager Steve Gottwals, Adobe Reader warns users that they should only launch files from trusted sources.

Foxit Software has also now released an update to fix the problem in its Foxit Reader. The problem in Foxit was somewhat more critical, as it failed to warn users and no option to deactivate attachments was available. The new version of Foxit now warns users before executing files.

It has also become apparent that the insight that the ability to run scripts or execute .exe files embedded in PDFs represents a possible vulnerability is old hat. Foxit Software was made aware of the problem more than a year ago. Security services provider Core Security and security specialist Thierry Zoller independently discovered the vulnerability and published demo exploits in early 2009 (details here and here).

See also:

(crve)

Print Version | Send by email | Permalink: http://h-online.com/-971932
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit