Adobe on Tuesday issued a Reader and Acrobat update, which included a patch to prevent attackers from using the PDF specification's "/Launch" function to enable the launching of scripts or .exe files embedded in PDF files that could be used in social engineering attacks or to spread worms.
“It is pity that the patch is not working properly,” Le Manh Tung, senior security researcher at Vietnam–based security company Bkis Internet Security, wrote in a Thursday blog post.
The researcher said he was able to get around the fix by slightly modifying the exploit code aimed at a targeted machine. In addition, Manh Tung on Thursday released proof-of-concept code to verify the attack.
The flaw, originally disclosed by researcher Didier Stevens on March 29, allows an attacker to partially control the warning message displayed when an executable within a PDF is about to be launched so that users are duped into clicking through.
Adobe Reader version 9.3.3 prevents the possibility of a fake warning dialogue being displayed, but the threat of malicious code execution still remains, Manh Tung said.
Brad Arkin, senior director of product security and privacy for Adobe, wrote in a blog post Thursday that when evaluating the best approach for the functionality in Adobe Reader and Acrobat, the company determined that disabling the ability to open non-PDF file attachments with external applications by default would have had a negative impact for a “significant” portion of its customer base.
Arkin said such a move would have affected existing workflows.
Instead, to protect against the vulnerability, the company added a blacklist functionality to prevent attackers from launching executables by default, he said.
“While blacklist capabilities alone are not a perfect solution to defend against those with malicious intent (as highlighted by Le Manh Tung in a recent blog post), this option reduces the risk of attack, while minimizing the impact on customers relying on workflows that depend on the launch functionality,” Arkin said. “We will evaluate this workaround to determine whether additional changes to the blacklist are required.”
Arkin added that if an attacker did try to bypass the blacklist functionality and attempt to execute malware, the attachment would not execute without first displaying a warning message, then requesting user permission to launch the attachment.