Adobe warns of URI problems
Adobe has released a security advisory that warns of a critical security problem and describes how users can protect themselves. Adobe Reader, Adobe Acrobat Standard, Professional and Elements up to and including version 8.1 and Adobe Acrobat 3D are all affected.
The vulnerability clearly relates to the previously described Windows URI problem. As do many other applications, Adobe's Viewer passes URLs for which it does not consider itself responsible to the operating system via ShellExecute(). Windows XP with Internet Explorer 7 installed reacts to URLs of the form
by launching the Windows calculator. If IE7 is not installed, the responsible URL handler -- i.e. Outlook Express -- is launched. Under Vista an error message is displayed. This confusing behaviour can be reproduced by selecting Start/Run and entering the above string in the run dialogue box. It is not limited to mailto URLs.
Under Windows XP with IE7, many applications which prior to IE7 were secure can now be exploited, using appropriately crafted URLS as entry points for malware such as spyware. Firefox and Skype have already responded to the problem and released updates to protect users. The problem is particularly acute in the case of Adobe applications, as many users open PDF files without a second thought, and hazardous URLs can be started automatically when doing so.
The workaround described by Adobe involves changing mailto:2 to mailto:3 in the value of tSchemePerms, that is located in the registry keys
Acrobat: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\8.0\FeatureLockDown\cDefaultLaunchURLPerms
Reader: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\8.0\FeatureLockDown\cDefaultLaunchURLPerms
This prevents execution of mailto URLs. After doing so, the demonstration file generated by heise Security merely brings up an error message.
Adobe Product Security Incident Response Team informed heise Security, that they plan to release an update to protect users from this problem by the end of October. Netscape, Miranda, mIRC and probably a whole raft of other applications can, however, also function as entry points. Because Internet Explorer 7 is distributed to Windows XP systems via the automatic update function -- now even without WGA authentication -- , the number of affected users is likely to rise further.
To resolve the problem once and for all would require Microsoft to release a patch that changes the behaviour of Windows XP for example consistently to that of Windows Vista. However, enquiries by heise Security revealed that such a solution is not presently on the cards.
- Workaround available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat, security advisory from Adobe
- URI problem also affects Acrobat Reader and Netscape, report by heise Security