Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev

Adobe suggests workaround for PDF embedded executable hack

By Ryan Naraine | April 6, 2010, 12:14pm PDT

Summary: Adobe is suggesting that users configure its PDF Reader product to limit the damage from an attack.

On the heels of a warning that malicious executables can be embedded into PDF files and launched with minimal user interaction, Adobe is suggesting that users configure its PDF Reader product to limit the damage from an attack.

Here are the instructions for mitigating a potential attack:

Users can also turn off this functionality in the Adobe Reader and Adobe Acrobat Preferences by selecting > Edit > Preferences > Categories > Trust Manager > PDF File Attachments and clearing (unchecking) the box “Allow opening of non-PDF file attachments with external applications”

This is what it looks like:

Adobe spokeswoman Wiebke Lips said that unchecking/clearing thatbox will prevent any file type other than PDF attachments to launch.

In organizations where the administrator would like to control this functionality (rather than giving the end-user) the option to check or uncheck the box, Lips the administrator can control this functionality via the registry setting on Windows by doing the following:

Set HKCU\Software\Adobe\Acrobat Reader\<version>\Originals\bAllowOpenFile (DWORD) to 0
An administrator can also grey out the preference to keep end-users from turning this capability on, by setting HKCU\Software\Adobe\Acrobat Reader\<version>\Originals\bSecureOpenFile (DWORD) to 1.

Adobe is still investigating ways to mitigate this threat and has not ruled out a fix in an upcoming security patch.

The alternative FoxIt Reader, which is also vulnerable, has issued a patch to ensure there is user-action required for a successful attack but malicious hackers could still use clever social engineering techniques to launch executables from rigged PDF files.

A demo of the PDF hack has been published by researcher Didier Stevens.

Separately, another researcher has posted a video showing that it’s possible to launch an attack internally from one PDF onto another already existing PDF, raising the possible of a PDF worm.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Updated: Owner of Firefox's mystery root authority is confirmed

Researchers expose complex cyber espionage network

Topics

Adobe Systems Inc., Workaround, Adobe PDF, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Full Bio
Disclosure
Contact

Vendor HotSpot

The 360° Conversation around Cloud Computing

TECH VISUALIZER brings the social conversation to life... powered by Brocade

Learn More »

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

Ask a Question Start a Discussion

Comments

Add Your Opinion

Join the conversation!

Follow via:: RSS; Email Alert

Just In

fsdd

jywhy888 7th Mar

View in thread

Please Select
Please Select

0 Votes

+ -

The problem with end-arounds

klumper 6th Apr 2010

Adobe is suggesting that users configure its PDF Reader product to limit the damage from an attack. [...] Adobe is still investigating ways to mitigate this threat and has not ruled out a fix in an upcoming security patch.

The problem with end-arounds is that such remedies seem fleeting at best. They require end users to customize, indeed memorize, settings they shouldn't have to. It's one thing as it pertains to UI preferences, that's personal choice, but for security settings it's tough.

Will the changes stay in place with subsequent security patches? Likewise will in-place version upgrades overwrite them, setting the changes back to original defaults? How do you know if and when such holes are fixed permanently, thus no longer requiring user intervention?

Then there's the need to keep track of these kinds of customized tweaks for this program or that - more so if the drive requires reformatting at some point, or an earlier drive image needs to be imported.

Aye yea yea sad

Reply
Flag

0 Votes

+ -

fsdd

jywhy888 7th Mar

Reply
Flag

0 Votes

+ -

This should be turned off by default.

AzuMao 6th Apr 2010

Reply
Flag

0 Votes

+ -

I agree...

Ceridan 6th Apr 2010

But at least Adobe has the option.. FoxIT does not even have the option(even if it does the behaviour)...

Reply
Flag

0 Votes

+ -

That's right. Why didn't Adobe do that?

voltrarian 7th Apr 2010

It should have been a no-brainer.

How often are executables attached to pdf's anyway? It's a stupid "feature" where if a user needed it, it should be forewarned to the user to enable it, and yet again, there should be content workaround to not even need such an obvious back-door to malware.

Maybe the most popular use would have been viruses/trojans.

It's another reason why Adobe can't be trusted, and alternatives should exist.

Reply
Flag

0 Votes

+ -

RE: Adobe suggests workaround for PDF embedded executable hack

litmank 6th Apr 2010

The administrator suggestion turns the feature on, it does not grey it out.

Reply
Flag

0 Votes

+ -

Adobe / PDF should die already.

kraterz 6th Apr 2010

PDF was a layout language, lightweight and simple, and easy to render. Now PDF is competition to HTML, flash, javascript, SVG, and the kitchen sink.

You need a 27MB download just to display a document? It needs to be dead already.

Reply
Flag

0 Votes

+ -

Better workaround ...

wackoae 6th Apr 2010

Don't use Adobe Reader.

Try another PDF reader. PDFXChange is the one I use, but there are a few others that are pretty good too.

Reply
Flag

0 Votes

+ -

Better still..

AzuMao 6th Apr 2010

..don't use useless formats like PDF.

Reply
Flag

0 Votes

+ -

Best option?

wolf_z 7th Apr 2010

PDF should return to its roots. It should be a display-only format. Period. No embedding of anything.

That's what we need, a display-only/print only document. You know, like paper. Make it deliberately difficult to change.

0 Votes

+ -

Why not just use (X)HTML + CSS?

AzuMao Updated - 7th Apr 2010

0 Votes

+ -

Maybe because (X) HTML CSS is soo simple, not

jsnett@... 7th Apr 2010

Good point wolf, that is what made the .pdf format great. It was electronic paper that noone could mess with. I think a security patch would be likley. To many other readers out there, unless arrogance gets in the way.

Having said that, I avoided Acrobat for years until finally installed a copy of 8 I had laying around and I do find it useful. I really needed to change and create pdfs quickly and simply. It does just that.

But as usual, a Tech company once again trys to do everything, paint it a different color and call it "new" by adding way too many features most people will never use, much less even know they exist.

Also after attending a couple breakout sessions during State technology conferences, the "zealots" were a put off. Their way or the highway. Not fair because I'm sure not all Adobe spokespersons are that way but the only 2 I've seen present were. I mean come on, we all know it can find all words and correct their spelling, font color, straighten a scanned page or whatever.

It reminds me of watching the launch of the iPad and people ohhhing and ahhhing over the dictionary feature that has been in every e reader for the last 4 years or "Hey, it looks like a page turning!!" I guess what I'm saying is, are you buying a toy or a tool?? If not a toy then keep the tool simple.

0 Votes

+ -

Inconsistent/Nonexistant Implementation of CSS

michaelg81@... 7th Apr 2010

Reasons not to use XHTML + CSS

1. Lack of uniformly reliable display

As much as many useability experts will say piffle to the "superfalous
decoration" of design elements, the fact is that communication
involves far more than information. Effective, compelling
communication between people will always have an emotional
component. This requires a level of control over the visual display that
is difficult to achieve without consistent rendering.

Even something as ubiquitous as the e-mail client, some 30 years
after the popularization of HTML, has limited and inconsistent
rendering of CSS. Ask anyone doing HTML e-mail. However, the
browser situation is finally improving with the none-to-soon demise
of Internet Explorer 6.

2. Requires special knowledge to create.

All a user has to know to create a PDF is how to print a document and
save a file ? very elementary tasks in the computing world. To create
CSS-positioned content requires pseudo-programming skills.

This could change as word processors get improved HTML export
facilities or a new crop of WYSIWYG XHTML+CSS authoring tools
mature.

3. Browsers have their own security issues.

Remember, this is where security exploits on the Internet started. As
long as browser companies insist on risky features at the expense of
security, anything that displays XHTML will have it's own security
risks.

Michael Gross

0 Votes

+ -

Okay, so don't use IE6, and use a nice point and click WYSIWYG, not notepad

AzuMao 7th Apr 2010

0 Votes

+ -

Thank you

Narr vi 6th Apr 2010

to Adobe spokeswoman Wiebke Lips.

That is fair dealing, to openly suggest this.

Regards.

Reply
Flag

0 Votes

+ -

[citation needed]

s_southern 7th Apr 2010

Please provide the link to the source of your instructions. Our change management & documentation process requires that information.

As always, trying to find this information on Adobe's web site is not something they like to make easy or obvious.

Reply
Flag

0 Votes

+ -

Perhaps this will suffice

Steve Goldman Updated - 7th Apr 2010

http://blogs.adobe.com/adobereader/2010/04/didier_
stevens_launch_function.html

Sorry, link is getting killed by post but if you
cut and paste it will work.

Reply
Flag

0 Votes

+ -

Corrected Link

?vatar 7th Apr 2010

http://blogs.adobe.com/adobereader/2010/04/

0 Votes

+ -

Simple fix

kidtree 7th Apr 2010

I've tried FoxIt and a few other alternative readers, but keep coming back to Acrobat Reader for its clear rendition of complex docs. Thanks for passing on this fix.

Reply
Flag

0 Votes

+ -

RE: Adobe suggests workaround for PDF embedded executable hack

siebent 7th Apr 2010

Adobe is one of the biggest scams in a long while. They do not allow editing of an object unless you pay an Exorbitant amount of money the software. This for something somebody sent you that wasn't even created in Adobe, but was an option in sending. One of the reasons I like Apple.

Reply
Flag

0 Votes

+ -

RE: Adobe suggests workaround for PDF embedded executable hack

siebent 7th Apr 2010

Adobe is a scam.

Reply
Flag

0 Votes

+ -

The ultimate problem

michaelg81@... 7th Apr 2010

Adobe should immediately reprogram their Acrobat and
Reader products to clear the option to automatically run
non-Acrobat files. This is as silly as an operating system
vendor creating and promoting a technology that grants
direct system-level access to any program that wants it.

However, the end solution is a robust, security-centric
operating system. Too many programmers (and their
marketing executives) are enamored with pushing out cool,
whiz-bang features ahead of making them secure and the
average computer user is too complacent and trusting of
their operating system vendor. The average end user is
also too lazy to educate themselves and/or implement
secure work habits.

Why is it that anti-malware is not an integral part of the
operating system? Why don't dialogs and prompts do a
better job of alerting users to potential threats? Why do
operating systems allow users to run day-to-day tasks
with admin privileges?

Until users vote with their pocket books and choose
security over convenience, this problem will persist.

My challenge to Apple and Microsoft: make security
convenient. Apple has gone a long way, but where's the
anti-virus? I can't speak to Microsoft's current offerings?I
abandoned them when I learned about DirectX.

For now, I'll continue with Ubuntu Linux.

Michael Gross

Reply
Flag

0 Votes

+ -

I suggest a workaround

mark16_15@... 7th Apr 2010

Use a limited function PDF reader such as Foxit Reader. Loads and runs faster than Adobe and the functionality lost is more than compensated by the speed and safety.

Reply
Flag

0 Votes

+ -

I suggest a patch.

NeuromancerLV 7th Apr 2010

Adobe is still "considering" a patch. Outstanding!

Reply
Flag

0 Votes

+ -

Windows-only issue? I use Evince on Ubuntu

barence773 7th Apr 2010

I use Evince on Ubuntu. Adobe Reader is available, but I chose not to install it. Am I still vulnerable?

Reply
Flag

0 Votes

+ -

RE: Adobe suggests workaround for PDF embedded executable hack

jimiznhb Updated - 7th Apr 2010

Here is a WORKAROUND...
1. Uninstall ABODE PDF Reader...
2. Install a FASTER, BETTER PDF Reader (there are
Several Right Here on CNET)...
3. ENJOY grin

Reply
Flag

0 Votes

+ -

Sample ADM file for group policy

ederkley 7th Apr 2010

Here is a sample ADM for anyone who wants to roll these settings out via group-policy.
Should work with Adobe Reader 9.0 to 9.3.1 (they all use reg key "9.0")

However, use at your own risk...
Further instructions here:

http://blogs.technet.com/askds/archive/2007/08/14/deploying-custom-registry-changes-through-group-policy.aspx

CLASS USER
CATEGORY Adobe_Reader_(CustomADM)
POLICY "Embedded Executables"
EXPLAIN !!AdobeReaderHelp
KEYNAME "Software\Adobe\Acrobat Reader\9.0\Originals"
PART !!bAllowOpenFile DROPDOWNLIST REQUIRED
VALUENAME "bAllowOpenFile"
ITEMLIST
NAME !!Yes VALUE NUMERIC 1 DEFAULT
NAME !!No VALUE NUMERIC 0
END ITEMLIST
END PART
PART !!bSecureOpenFile DROPDOWNLIST REQUIRED
VALUENAME "bSecureOpenFile"
ITEMLIST
NAME !!Yes VALUE NUMERIC 1
NAME !!No VALUE NUMERIC 0 DEFAULT
END ITEMLIST
END PART
END POLICY
END CATEGORY

[strings]
AdobeReaderCustomADM="Adobe Reader Settings"
bAllowOpenFile="Allow embedded executable to launch: "
bSecureOpenFile="Secure option to allow embedded executable to launch: "
Yes="Yes"
No="No"

; explains
AdobeReaderHelp="You can set the Adobe Reader behavior to allow embedded executable files to launch. You can further enable or disable access to this option so that users cannot change this. See http://blogs.zdnet.com/security/?p=6028&tag=nl.e550"

Reply
Flag

0 Votes

+ -

Show the exploit on Windows 7

T-F Updated - 20th Apr 2010

As you can see in the demo video, the exploit applies to WinXP (assumes a user has local admin rights).

If you run w/ the defaults for Win7 or even Vista, a user would have to accept the UAC prompt.

As stated in several other replies, Adobe should set this setting should off by default.