Adobe offers workaround for PDF risk

Adobe has provided a workaround for an issue in its Reader and Acrobat software that could let PDFs be used to spread malicious software.

In March, security researchers discovered a feature in the software could be used to trick people into running an embedded executable program in a PDF. Malicious software could be installed on the victim's PC without an attacker exploiting any vulnerability on the system.

On Tuesday, Adobe product manager Steve Gottwals outlined the workaround in a blog post. Sysadmins can alter a registry setting on Windows, or grey out a PDF preference, to stop users turning on the /Launch capability, which is the exploitable feature, he said.

In addition, Adobe is evaluating the best way to allow admins and users to mitigate the problem. This could be pushed out in a product update, according to Gottwals.

"We are currently researching the best approach for this functionality in Adobe Reader and Acrobat, which we could conceivably make available during one of the regularly scheduled quarterly product updates," said Gottwals.

The PDF hack was made public by security researcher Didier Stevens. Stevens showed how an attacker could use the launch function triggered by opening a PDF. While Adobe Reader launches a dialog box to ask for user approval to run the executable, the message in the dialog box can be manipulated look like an innocuous message and so to fool users into starting the program, wrote Stevens in a blog post.

The proof-of-concept attack demonstrated by Stevens also works with Foxit Reader, an alternative to Adobe Reader. However, Foxit does not pop up the dialog box.