So Much For That Adobe Patch…

A security researcher says he can force Adobe’s widely used PDF reader to execute malicious commands despite an emergency security fix the company released earlier this week.

The update to Reader and Acrobat contained a patch to prevent attackers from using the apps as a launch point for potentially dangerous commands or files on end users’ machines.  Le Manh Tung, a senior security researcher at Viet Nam–based Bkis Internet Security, said he can bypass the fix by simply putting quotation marks around the command he wants a targeted machine to remotely execute.

The weakness being exploited here was first demonstrated by researcher Didier Stevens and later expanded upon by others.  While Adobe applications warn users they are about to execute a potentially dangerous program, Stevens showed it was possible to modify the wording, increasing the attacker’s chances of successfully socially engineering his victim.  Fellow security researcher Jeremy Conway soon adapted the technique to devise an attack that would allow a malicious payload stashed in one PDF file to spread to another document. A few days later a blogger who goes by the handle YunSoul, modified the attack further, showing how a single malicious PDF could infect an unlimited number of documents. 

Tung published his proof-of-concept on Thursday, showing how a PDF file can still be used to auto-launch the Windows calculator program.  Adobe had said it wanted to find a way to eliminate the threat without removing powerful functionality relied on by some users.