Adobe Reader, Acrobat Update Fails To Address Critical 'Launch' Vulnerability


An Adobe update for Reader and Acrobat issued earlier this week failed to address a critical "launch" vulnerability that allows remote attackers to execute malicious code on users' computers.

The "launch" vulnerability still exists due to a feature in the PDF specifications, and Adobe is "not willing to alter the specs in order to fix this problem," said Johannes Ullrich, SANS Institute researcher, in a blog post.

Specifically, the attack exploits functionality in the PDF specification, which is an ISO standard that defines the "launch" command.

Ullrich pointed out that the vulnerability is still exploitable if the command is included in quotes. But unlike earlier versions of the Adobe Reader, the latest version eliminated the ability to modify the warning dialog that would alert users when they're about to inadvertently download malicious code, Ullrich said.

Adobe later repaired that part of the update, according to a Bki Security blog post.

The "launch" vulnerability paves the way for attackers to initiate remote code execution attacks by enticing a victim to open an infected PDF, usually through some kind of social engineering scheme. If exploited, an attacker could subsequently shut down or completely take over a users' computer in an attempt to steal sensitive data or login credentials.

"The flaw still remains and the risk for users remains large. Adobe should release the next patch as soon as possible," according to the Bki Security blog post.

The Adobe "launch" vulnerability was first discovered by researcher Didier Stevens in March. Since then, however, hackers have launched attacks exploiting the flaw.

Meanwhile, Adobe confirmed that it had partially addressed the problem by adding an attachment blacklist functionality to block attempts to launch executables or other malicious code by default, according to a company blog post. When a user attempts to open a file with malware, they receive an alert in a dialog box warning them that they may be opening a malicious file and asking them if they want to continue.

The new dialog box represents a change in that it requests user permission to launch non-PDF file attachments, in an attempt to mitigate the risk of a social engineering attack, Adobe said. Prior to the recent update, an attacker could have inserted instructions to the user into the warning dialog box.

"In the event of an attacker working around the blacklist functionality and attempting the execution of a malicious executable or other harmful object, the attachment will not execute without first displaying the warning message requesting user permission to launch the attachment," Adobe said. "The warning message provided includes strong wording advising users to only open and execute the file if it comes from a trusted source."

Administrators can also edit the default attachment blacklist in Adobe Reader and Acrobat 9.3.3 and 8.2.3 via the registry setting on Windows.

However, Brad Arkin, director of product security and privacy for Adobe Systems, said that the solution in the latest patch for /Launch flaw is “not a perfect solution."