Patch/Configuration Management, Vulnerability Management

Adobe “Launch” flaw may not be fixed after all

A security researcher on Thursday said that he has discovered a way to bypass Adobe's Reader and Acrobat fix for a highly publicized flaw that takes advantage of a native PDF feature.

Adobe on Tuesday issued a Reader and Acrobat update, which included a patch to prevent attackers from using the PDF specification's "/Launch" function to enable the launching of scripts or .exe files embedded in PDF files that could be used in social engineering attacks or to spread worms.

“It is pity that the patch is not working properly,” Le Manh Tung, senior security researcher at Vietnam–based security company Bkis Internet Security, wrote in a Thursday blog post.

The researcher said he was able to get around the fix by slightly modifying the exploit code aimed at a targeted machine. In addition, Manh Tung on Thursday released proof-of-concept code to verify the attack.

The flaw, originally disclosed by researcher Didier Stevens on March 29, allows an attacker to partially control the warning message displayed when an executable within a PDF is about to be launched so that users are duped into clicking through.

Adobe Reader version 9.3.3 prevents the possibility of a fake warning dialogue being displayed, but the threat of malicious code execution still remains, Manh Tung said.

Brad Arkin, senior director of product security and privacy for Adobe, wrote in a blog post Thursday that when evaluating the best approach for the functionality in Adobe Reader and Acrobat, the company determined that disabling the ability to open non-PDF file attachments with external applications by default would have had a negative impact for a “significant” portion of its customer base.

Arkin said such a move would have affected existing workflows.

Instead, to protect against the vulnerability, the company added a blacklist functionality to prevent attackers from launching executables by default, he said.

“While blacklist capabilities alone are not a perfect solution to defend against those with malicious intent (as highlighted by Le Manh Tung in a recent blog post), this option reduces the risk of attack, while minimizing the impact on customers relying on workflows that depend on the launch functionality,” Arkin said. “We will evaluate this workaround to determine whether additional changes to the blacklist are required.”

Arkin added that if an attacker did try to bypass the blacklist functionality and attempt to execute malware, the attachment would not execute without first displaying a warning message, then requesting user permission to launch the attachment.

In mid-April, a malicious spam campaign capitalized on the "/Launch" flaw to spread the data-stealing trojan Zeus.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.