Adobe PDF exploit discovered, bypasses all security measures

The only thing blocking a PDF file written by security researcher Didier Stevens from harming your system is a warning dialog. With some slight tweaking of the warning, and some crafty social engineering, your system is a sitting duck for whatever program is embedded in that PDF. 

"With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs)."

The culprit here is simply an alternative way of launching commands in a PDF (/launch /action). With some further technique applied to surreptitiously embed the executable (Stevens understandably doesn't go into detail about this part), the PDF is able to launch any program its creator embeds as long as the user clicks OK at the warning. Since the warning can be modified with some more clever hacking, this isn't a very big hurdle to overcome. Simply change the warning to an encouraging message convincing the user to open the file, and you're in. Foxit PDF Reader doesn't even display the warning message, making this threat even worse.

Adobe responded to the issue, according to Threatpost.com, by saying,

"Didier Stevens’ demo relies on functionality defined in the PDF specification, which is an ISO standard (ISO PDF 32000-1:2008). Section 12.6.4.5 of the specification defines the /launch command. This is an example of powerful functionality relied on by some users that also carries potential risks when used incorrectly. The warning message provided in Adobe Reader and Adobe Acrobat includes strong wording advising users to only open and execute the file if it comes from a trusted source. Adobe takes the security of our products and technologies very seriously; we are always evaluating ways to allow end-users and administrators to better manage and configure features like this one to mitigate potential associated risks."

Report a problem with article
Previous Story

Nvidia demos IE9 advantages with ION

Next Story

Google's April Fools round-up

37 Comments

Commenting is disabled on this article.

well sumatra beats adobe hell anything beats adobe, the only thing adobe has it very clear text but the alternatives are very very close to make that argument none existant but adobe still bundles that crap they call speedup and download manager(true you can turn them off)

I launched a PoC PDF and nothing executed. That's because I use "Sumatra PDF" reader and "Docs PDF/PowerPoint Viewer (by Google)".

Has anyone addressed whether this affects Foxit yet?

--
Tho' I like the official Adobe Reader just as much, I still just leave Foxit installed. I very rarely open pdfs, after all, and just need something slim for the occasional need... I'm surprised Foxit doesn't use a warning box for when something is executed, though. What doesn't these days?

ThaCrip said,
so this only effects Adobe?

because i use FoxIt Reader.

No, read the linked article... PDF readers are effected to varying degrees, some don't even give the security prompt! I.e. They're actually worse than Adobe.

"patching Adobe Reader isn’t possible"

Umm, sure it is. Just disable the launch functionality. I don't really see this as a vulnerability.

Kirkburn said,
Security record with what?

IE, ActiveX, Windows, Office, etc. The record is abysmal. Up to windows 7/2008 security has always taken a back seat to sales and marketing.

thommcg said,
time to move back to paper
After that, when we discover the paper-cut as an exploit, we will eventually move to stone carvings.

Adobe Reader: "Opening this file will kill your computer, then you and your family. DO NOT OPEN!!"
User: "How am I supposed to see a water-skiing squirrl then? <open>"

Will this affect other PDF programs if it's not "really" a vulnerability in Adode's products and part of the standard?

I'll wait until April 2nd to see if I should care about this or not. I really hate today, you can't believe anything.

TRC said,
I'll wait until April 2nd to see if I should care about this or not. I really hate today, you can't believe anything.

The source article was posted on March 30th. I doubt it is fake.

TRC said,
I'll wait until April 2nd to see if I should care about this or not. I really hate today, you can't believe anything.

I don't find it very hard to believe. A problem with Acrobat/PDFs? No wai!

While I'm sure there are some valid uses of having executable code embedded in a document file, I am still of the opinion that this idea was moronic from the start. This complaint isn't just against Adobe, but Microsoft as well. How many people would REALLY miss this functionality if it were removed entirely vs. the number of people who have had their computers compromised over the years because of this kind of stupidity?

Adobe:
"The warning message provided in Adobe Reader and Adobe Acrobat includes strong wording advising users to only open and execute the file if it comes from a trusted source."

Exploit Writer:
"With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog."
http://threatpost.com/en_us/bl...ay-mitigate-pdf-hack-040110

What.

I'm sure "strong wording" will make this an non-issue... /sarcasm

XerXis said,
why would a pdf file need the ability to launch an executable anyway?

I'm just waiting for someone to embed a better pdf reader into a pdf....

XerXis said,
why would a pdf file need the ability to launch an executable anyway?

Because Adobe went crazy and stopped caring for only being able to present static documents ages ago. Embedded, non-executable fonts, graphics (bitmap and vector), and text should be all that these documents were about. If Adobe *has* to do a less secure format per design, that should have a different file extension/type and all, with a different application to open it.

Executing stuff in a document is about as stupid as ActiveX. At least MS has patched it up and hid it under warnings and settings to oblivion now in the latest IE versions. The best would be to drop it altogether because the thinking behind it is a huge fail, but what won't you do for backwards compatibility...

Edited by Northgrove, Apr 1 2010, 10:06pm :

AgentGray said,
Can Adobe be shamed into...you know...fixing this crap?

Man my Windows 7 32 bit with Avira and malware didn't stop the freaking attacker, my system was infected pretty bad, after i clean it up, still get infected from time to time, but that never happened before the first attack.

PDF's could lead to an infecction, what's next? Flash video?

Oscar Salinas said,

Man my Windows 7 32 bit with Avira and malware didn't stop the freaking attacker, my system was infected pretty bad, after i clean it up, still get infected from time to time, but that never happened before the first attack.

PDF's could lead to an infecction, what's next? Flash video?

I am not surprised. Flash exploit had been on the rise for a very long time already and it's belated to see news like this pops up. Some people didn't even know that their system has been hit by Flash exploit at all.

AgentGray said,
Can Adobe be shamed into...you know...fixing this crap?

didn't look good for Adobe when they are about to release Acrobat Reader 10. I know this is for another version it's just the timing considering they are releasing everything a week Monday.