Adobe's protection against embedded scripts incomplete
In a post on their blog, Security firm Bkis report that the protection against /launch attacks, introduced in Adobe Reader and Acrobat with update 9.3.3, is still incomplete. By enclosing the commands embedded in PDF documents in double quotation marks, protection can be bypassed and programs can be launched – although a warning dialogue requiring user confirmation is displayed.
Adobe said that many customers require the function for their corporate solutions, and so instead of disabling the "Allow opening non-PDF file attachments with external applications" option completely, Adobe has integrated a blacklist of prohibited applications (including .exe, bat and many more). The blacklist is designed to make Reader categorically block all malicious calls, regardless of whether the option is enabled or not.
However, the blacklist feature appears to have been implemented in an extremely simple way and can be bypassed by placing commands in quotation marks, for example (
/F("cmd.exe"). As a result, the filter doesn't detect the command and Reader will attempt to execute it – provided the "Allow opening non-PDF file..." option is still enabled. Adobe admits that the blacklist solution isn't perfect and can be bypassed. However, the company says that the blacklist reduces the risk of attack without causing adverse effects on corporate customers' existing work flows.
Home users can solve the problem by disabling the option under "Edit/Preferences/Trust Manager". Corporate users who are unable to do this can manually extend Adobe's blacklist. Didier Stevens, who discovered the /launch hole, suggests on his blog that users simply add
.exe”:3 at the end of the list under
HKLM\SOFTWARE\Policies\Adobe\product\version\ to at least prevent
"cmd.exe" from being launched in documents.
It should be noted that with the update to 9.3.3 the new tricks can only be used to exploit the hole if users carelessly click past dialogues. Now at least a warning is issued and the dialogue can no longer be formulated to mislead users.