Adobe offers workaround for PDF risk

Summary:The workaround has been provided to guard against attacks that use a feature in its Reader and Acrobat software to fool users into installing malware

Adobe has provided a workaround for an issue in its Reader and Acrobat software that could let PDFs be used to spread malicious software.

In March, security researchers discovered a feature in the software could be used to trick people into running an embedded executable program in a PDF. Malicious software could be installed on the victim's PC without an attacker exploiting any vulnerability on the system.

On Tuesday, Adobe product manager Steve Gottwals outlined the workaround in a blog post. Sysadmins can alter a registry setting on Windows, or grey out a PDF preference, to stop users turning on the /Launch capability, which is the exploitable feature, he said.

In addition, Adobe is evaluating the best way to allow admins and users to mitigate the problem. This could be pushed out in a product update, according to Gottwals.

"We are currently researching the best approach for this functionality in Adobe Reader and Acrobat, which we could conceivably make available during one of the regularly scheduled quarterly product updates," said Gottwals.

The PDF hack was made public by security researcher Didier Stevens. Stevens showed how an attacker could use the launch function triggered by opening a PDF. While Adobe Reader launches a dialog box to ask for user approval to run the executable, the message in the dialog box can be manipulated look like an innocuous message and so to fool users into starting the program, wrote Stevens in a blog post.

The proof-of-concept attack demonstrated by Stevens also works with Foxit Reader, an alternative to Adobe Reader. However, Foxit does not pop up the dialog box.

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.