Adobe suggests workaround for PDF embedded executable hack

Adobe is suggesting that users configure its PDF Reader product to limit the damage from an attack.
Written by Ryan Naraine, Contributor

On the heels of a warning that malicious executables can be embedded into PDF files and launched with minimal user interaction, Adobe is suggesting that users configure its PDF Reader product to limit the damage from an attack.

Here are the instructions for mitigating a potential attack:

  • Users can also turn off this functionality in the Adobe Reader and Adobe Acrobat Preferences by selecting > Edit > Preferences > Categories > Trust Manager > PDF File Attachments and clearing (unchecking) the box “Allow opening of non-PDF file attachments with external applications”

This is what it looks like:

Adobe spokeswoman Wiebke Lips said that unchecking/clearing thatbox will prevent any file type other than PDF attachments to launch.

In organizations where the administrator would like to control this functionality (rather than giving the end-user) the option to check or uncheck the box, Lips the administrator can control this functionality via the registry setting on Windows by doing the following:

  • Set HKCU\Software\Adobe\Acrobat Reader\<version>\Originals\bAllowOpenFile (DWORD) to 0
  • An administrator can also grey out the preference to keep end-users from turning this capability on, by setting HKCU\Software\Adobe\Acrobat Reader\<version>\Originals\bSecureOpenFile (DWORD) to 1.

    Adobe is still investigating ways to mitigate this threat and has not ruled out a fix in an upcoming security patch.

    The alternative FoxIt Reader, which is also vulnerable, has issued a patch to ensure there is user-action required for a successful attack but malicious hackers could still use clever social engineering techniques to launch executables from rigged PDF files.

    A demo of the PDF hack has been published by researcher Didier Stevens.

    Separately, another researcher has posted a video showing that it's possible to launch an attack internally from one PDF onto another already existing PDF, raising the possible of a PDF worm.

Editorial standards