I’ve had a few questions put to me in the flesh-world recently regarding information on Adobe’s recently announced design flaw that may allow an attacker to launch arbitrary code or applications with very little effort. The flaw, which is actually part of the PDF specification, was disclosed by Belgium researcher Didier Stevens last month. Stevens demonstrated how a multistage attack using the PDF specification’s “/Launch” function could successfully exploit a fully-patched copy of Adobe Reader.
Didier’ technique does not require an underlying vulnerability in Adobe’s Reader or Acrobat, instead it relies on social engineering tactics to fool users into opening the PDF. Although Reader and Acrobat display a warning when aPDF file launches code, Stevens found a way to partially modify the alert to trick a potential victim into allowing the action to take place.
Didier’s attack information is very clear, very easy to reproduce, and very effective, it will be child’s play for hackers to duplicate his strategy. He did not release proof-of-concept code, however hinging on a design flaw, it will be simple to duplicate his attack, including the modifications to Reader’s and Acrobat’s warnings. Expect miscreants to weaponize this attack immediately and to add it to the multiple exploit kits that are already hidden on compromised legitimate web sites soon.
Adobe has acknowledged the flaw, but has not yet committed to producing a patch, urging users instead to disable the /Launch function in their products by unchecking a box marked “Allow opening of non-PDF file attachments with external applications” in the programs’ preferences panes. By default, Reader and Acrobat have the box checked, meaning that the exploitable behavior is allowed. Enterprise deployed copies of Reader and Acrobat can be forced into the unchecked state by pushing a change to the Windows registry. Do not expect to see this patched in April’s quarterly patch release.