Adobe suggests workaround for PDF embedded executable hack
Summary: Adobe is suggesting that users configure its PDF Reader product to limit the damage from an attack.
On the heels of a warning that malicious executables can be embedded into PDF files and launched with minimal user interaction, Adobe is suggesting that users configure its PDF Reader product to limit the damage from an attack.
Here are the instructions for mitigating a potential attack:
- Users can also turn off this functionality in the Adobe Reader and Adobe Acrobat Preferences by selecting > Edit > Preferences > Categories > Trust Manager > PDF File Attachments and clearing (unchecking) the box “Allow opening of non-PDF file attachments with external applications”
This is what it looks like:
Adobe spokeswoman Wiebke Lips said that unchecking/clearing thatbox will prevent any file type other than PDF attachments to launch.
In organizations where the administrator would like to control this functionality (rather than giving the end-user) the option to check or uncheck the box, Lips the administrator can control this functionality via the registry setting on Windows by doing the following:
- Set HKCU\Software\Adobe\Acrobat Reader\<version>\Originals\bAllowOpenFile (DWORD) to 0
- An administrator can also grey out the preference to keep end-users from turning this capability on, by setting HKCU\Software\Adobe\Acrobat Reader\<version>\Originals\bSecureOpenFile (DWORD) to 1.
Adobe is still investigating ways to mitigate this threat and has not ruled out a fix in an upcoming security patch.
The alternative FoxIt Reader, which is also vulnerable, has issued a patch to ensure there is user-action required for a successful attack but malicious hackers could still use clever social engineering techniques to launch executables from rigged PDF files.
A demo of the PDF hack has been published by researcher Didier Stevens.
Separately, another researcher has posted a video showing that it's possible to launch an attack internally from one PDF onto another already existing PDF, raising the possible of a PDF worm.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
The problem with end-arounds
The problem with end-arounds is that such remedies seem fleeting at best. They require end users to customize, indeed memorize, settings they shouldn't have to. It's one thing as it pertains to UI preferences, that's personal choice, but for security settings it's tough.
Will the changes stay in place with subsequent security patches? Likewise will in-place version upgrades overwrite them, setting the changes back to original defaults? How do you know if and when such holes are fixed permanently, thus no longer requiring user intervention?
Then there's the need to keep track of these kinds of customized tweaks for this program or that - more so if the drive requires reformatting at some point, or an earlier drive image needs to be imported.
Aye yea yea :(
fsdd
Wholesale Towel http://www.chinawholesaletown.com/wholesale-Shopping-Basket/ Wholesale iPod iPhone Wholesale Earphone
Men Beauty Care http://www.chinawholesaletown.com/wholesale-Portfolio/ Wholesale Jewelry Badge Reel
Wholesale Memory Card http://www.chinawholesaletown.com/wholesale-Multifunction-Pen-Holder/ World Cup Products Highlighter
Mini Hockey Stick http://www.chinawholesaletown.com/wholesale-Bar-Caddy/ Wholesale Shoe Wholesale Pom Poms
Valentine Gifts http://www.chinawholesaletown.com/wholesale-Note-Pad-Holder-Calendar/ Notepad Calculator Gift Box
Medicine Instrument http://www.chinawholesaletown.com/wholesale-Whistle/ Wholesale Clothing Valentine Gifts
Beach Towel http://www.chinawholesaletown.com/wholesale-Car-Mini-Refrigerator/ Wholesale Halloween Gift Safety Suppliers
Wholesale Bracelet http://www.chinawholesaletown.com/wholesale-Tin-Box/ Dog Waste Bag Dispenser Advertising Material
Wholesale Halloween Gift http://www.chinawholesaletown.com/wholesale-Shaving-Brush/ Entertainment Supplies Spare Tire Cover
Wholesale Scale http://www.chinawholesaletown.com/wholesale-Extraordinary-Shape-Clock/ China Wholesale Wholesale Playing Card
Money Bank http://www.chinawholesaletown.com/wholesale-Wooden-Cooler-Box/ Wholesale lable Wedding Favors
Wholesale Binoculars http://www.chinawholesaletown.com/wholesale-Rattles---Clappers/ CD Holde Name Card Holder
Wholesale Playing Card http://www.chinawholesaletown.com/wholesale-Bag-Hanger/ Muslim Products Wholesale Pen
Wholesale Stress Ball http://www.chinawholesaletown.com/wholesale-Key-Chain-Bottle-Opener/ Wholesale Umbrella Wholesale Swimming Products
Wholesale Pen http://www.chinawholesaletown.com/wholesale-Shaker-Cup/ Vibram Five Finger Shoe Ring Mug
Perpetual Calendar http://www.chinawholesaletown.com/wholesale-Wedding-Coaster/ Wholesale Scissors Glass Coaster
Wholesale Ashtray http://www.chinawholesaletown.com/wholesale-Training-Clicker-Whistle/ Promotional Products Tangle Puzzle
Digital Photo Frame http://www.chinawholesaletown.com/wholesale-Heart-Tin-Box/ Coca Cola Gifts Wholesale Scale
Water Bottle http://www.chinawholesaletown.com/wholesale-Training-Clicker-Whistle/ Wholesale Pom Poms Fleece Blanket
Reflective Safety Vest http://www.chinawholesaletown.com/wholesale-Mini-Cow-Bell/ Wholesale Towel Personal Safety Products
Wholesale Earphone http://www.chinawholesaletown.com/wholesale-Level-Tape-Measure/ Bottle Holder Teeth whitening Pen
Wholesale TelePhone http://www.chinawholesaletown.com/wholesale-Clap-Hands/ Wholesale Cards Computer Accessories
Outdoor Leisure Products http://www.chinawholesaletown.com/wholesale-Clip-Dispenser/ Silicone Products Promotional Products
Sport Support Products http://www.chinawholesaletown.com/wholesale-Radius-Gauge/ Wine Pouch Wholesale Fan
China Wholesale http://www.chinawholesaletown.com/wholesale-Egg-Shakers/ Business Gift Wholesale Hardware Tools
Retractable Dog Leash http://www.chinawholesaletown.com/wholesale-Boomerang/ Tangle Puzzle Vibram Five Finger Shoe
Wholesale Mirror http://www.chinawholesaletown.com/wholesale-Leather-Tape-Measure/ Frosty Beer Mug Wholesale Bracelet
Consumer Electronics http://www.chinawholesaletown.com/wholesale-Pepper-Spray/ Mouse Pad Bingo Bag
Decision Maker http://www.chinawholesaletown.com/wholesale-Baby-Bib/ Wholesale Candle Wholesale Calendar
Wholesale Wallet http://www.chinawholesaletown.com/wholesale-Rolling-Cooler-Bag/ Wholesale Watch Wholesale Scissors
Money Clip http://www.chinawholesaletown.com/wholesale-Stamps/ Wholesale Racks Wholesale Compressed Products
Wholesale Compass http://www.chinawholesaletown.com/wholesale-Glass-Crystal-Clocks/ Wholesale Mirror Wholesale TelePhone
Silicone Products http://www.chinawholesaletown.com/wholesale-Level-Ruler---Digital-Level/ Wholesale Thermometer Wholesale Keyboard
Car Mini Refrigerator http://www.chinawholesaletown.com/wholesale-Spring-Thing/ Pen Holder Boomerang
Wholesale Glass http://www.chinawholesaletown.com/wholesale-Bag-Clip/ Wholesale Ruler Wholesale Coaster
Wholesale Flag http://www.chinawholesaletown.com/wholesale-Collapsible-Water-Bottle/ Silicone Cake Mould Wholesale Tellurion
Frosty Beer Mug http://www.chinawholesaletown.com/wholesale-Arts-Crafts-Resin-Ashtray/ Mini DV Christmas Gifts
Tangle http://www.chinawholesaletown.com/wholesale-Waterproof-Beach-Case/ Menu Holder Inflatable Products
Wholesale Stationery http://www.chinawholesaletown.com/wholesale-ID-Tag/ Permanent Match Lighter Electroluminescent
Bar Holder Tray http://www.chinawholesaletown.com/wholesale-Wine-Pouch/ Men Beauty Care Wholesale Cards
Magnifier Ruler http://www.chinawholesaletown.com/wholesale-Pet-Dog-Leash/ Coca Cola Glass Wholesale First Aid Kit
Water Spray Fan http://www.chinawholesaletown.com/wholesale-Ice-Bottle/ Ring Mug Consumer Electronics
Vocal Concert Products http://www.chinawholesaletown.com/wholesale-Gashapon---Capsule-Toy-Empty-Shell---Easy-Open_95643/ Bottle Opener Pet Poo Pick Bag
Electroluminescent http://www.chinawholesaletown.com/wholesale-Water-Power-Clock/ Wholesale Scarf Mini Hockey Stick
Golf Pouch http://www.chinawholesaletown.com/wholesale-Permanent-Match-Lighter/ Recorder Pen Wholesale Jewelry
Wholesale Vuvuzela http://www.chinawholesaletown.com/wholesale-Shaving-Set/ Bingo Bag Wholesale Glove
Coca Cola Glass http://www.chinawholesaletown.com/wholesale-Waterproof-Hard-Case/ Mini Hockey Stick Gloves Clapper
Silicone Cake Mould http://www.chinawholesaletown.com/wholesale-Banner-Stand/ Wholesale Stress Ball Outdoor Leisure Products
Automotive Products http://www.chinawholesaletown.com/wholesale-Tin-CD-Case/ Wholesale Playing Card Notepad Calculator
This should be turned off by default.
I agree...
That's right. Why didn't Adobe do that?
How often are executables attached to pdf's anyway? It's a stupid "feature" where if a user needed it, it should be forewarned to the user to enable it, and yet again, there should be content workaround to not even need such an obvious back-door to malware.
Maybe the most popular use would have been viruses/trojans.
It's another reason why Adobe can't be trusted, and alternatives should exist.
RE: Adobe suggests workaround for PDF embedded executable hack
Adobe / PDF should die already.
You need a 27MB download just to display a document? It needs to be dead already.
Better workaround ...
Try another PDF reader. PDFXChange is the one I use, but there are a few others that are pretty good too.
Better still..
Best option?
That's what we need, a display-only/print only document. You know, like paper. Make it deliberately difficult to change.
Why not just use (X)HTML + CSS?
Maybe because (X) HTML CSS is soo simple, not
Having said that, I avoided Acrobat for years until finally installed a copy of 8 I had laying around and I do find it useful. I really needed to change and create pdfs quickly and simply. It does just that.
But as usual, a Tech company once again trys to do everything, paint it a different color and call it "new" by adding way too many features most people will never use, much less even know they exist.
Also after attending a couple breakout sessions during State technology conferences, the "zealots" were a put off. Their way or the highway. Not fair because I'm sure not all Adobe spokespersons are that way but the only 2 I've seen present were. I mean come on, we all know it can find all words and correct their spelling, font color, straighten a scanned page or whatever.
It reminds me of watching the launch of the iPad and people ohhhing and ahhhing over the dictionary feature that has been in every e reader for the last 4 years or "Hey, it looks like a page turning!!" I guess what I'm saying is, are you buying a toy or a tool?? If not a toy then keep the tool simple.
Inconsistent/Nonexistant Implementation of CSS
1. Lack of uniformly reliable display
As much as many useability experts will say piffle to the "superfalous
decoration" of design elements, the fact is that communication
involves far more than information. Effective, compelling
communication between [i]people[/i] will always have an emotional
component. This requires a level of control over the visual display that
is difficult to achieve without consistent rendering.
Even something as ubiquitous as the e-mail client, some 30 years
after the popularization of HTML, has limited and inconsistent
rendering of CSS. Ask anyone doing HTML e-mail. However, the
browser situation is finally improving with the none-to-soon demise
of Internet Explorer 6.
2. Requires special knowledge to create.
All a user has to know to create a PDF is how to print a document and
save a file ? very elementary tasks in the computing world. To create
CSS-positioned content requires pseudo-programming skills.
This could change as word processors get improved HTML export
facilities or a new crop of WYSIWYG XHTML+CSS authoring tools
mature.
3. Browsers have their own security issues.
Remember, this is where security exploits on the Internet started. As
long as browser companies insist on risky features at the expense of
security, anything that displays XHTML will have it's own security
risks.
Michael Gross
Okay, so don't use IE6, and use a nice point and click WYSIWYG, not notepad
Thank you
That is fair dealing, to openly suggest this.
Regards.
[citation needed]
As always, trying to find this information on Adobe's web site is not something they like to make easy or obvious.
Perhaps this will suffice
stevens_launch_function.html
Sorry, link is getting killed by post but if you
cut and paste it will work.
Corrected Link
Simple fix
RE: Adobe suggests workaround for PDF embedded executable hack