The out-of-cycle Adobe Reader and Acrobat patch released on Tuesday has failed to remedy an issue that could allow an attacker to run malicious code, according to a Vietnamese security company.
The version 9.3.3 update for the PDF software products was designed to plug several security problems, including one connected with the Launch dialogue box that could coax a user into opening an embedded executable file. Belgian security researcher Didier Stevens, who reported the issue to Adobe in March, confirmed in a blog post following the release of the patch that the problem was fixed.
However, according to Bach Khoa Internetwork Security centre (Bkis), the update has failed to fully remedy the issue, which Vietnamese antivirus provider said is being used by viruses in attacks.
In a post on the Bkis security blog, senior security researcher Le Manh Tung argued that the fix could still be circumvented by adding quotation marks to the parameters of the executable file. If an attacker changes /F(cmd.exe) to /F("CMD.exe") in the exploit, the execution of the code is not blocked and a 'Launch file' dialogue box is displayed, he said.
In a blog post, Adobe acknowledged the problems outlined by Stevens and Bkis. However, it noted that the issue took advantage of functionality designed to be part of the PDF, rather than a flaw, and said it had added a feature to ban attachments using a blacklist.
"While blacklist capabilities alone are not a perfect solution to defend against those with malicious intent (as highlighted by Le Manh Tung [...]), this option reduces the risk of attack, while minimising the impact on customers relying on workflows that depend on the launch functionality," Adobe said in its blog post.
It also said that it had amended its launch dialogue box warning to prevent attackers inserting rogue instructions designed to persuade users to ignore the warning message.
The company said it is still considering whether to take action on the patch workaround discovered by Bkis. "We will evaluate this workaround to determine whether additional changes to the blacklist are required," it said in the blog post.
On Friday, Bkis suggested that one way for Adobe to keep its blacklist yet avoid allowing attackers to use the workaround is to make sure the parameter strings used in the launch process are given a standard form before being compared to the blacklist.