ITWire

Late last month, Adobe released updates to Acrobat and Reader to address a security issue involving the /launch functionality in the PDF specification. It had been shown that this functionality could be used to open a malicious object (eg, an attached executable file, or a Word document containing a macro), while displaying text designed to allay victims' fears in the warning dialog.

At the time the update was released, Adobe's Steve Gottwals said "We added functionality to block any attempts to launch an executable or other harmful objects by default. We also altered the way the existing warning dialog works to thwart the known social engineering attacks."

The redesigned dialog does not allow the insertion of text by the document, but the blacklist mechanism intended to block harmful objects by default has a significant flaw.

Le Manh Tung, senior security researcher at Vietnam-based Bkis has determined that if the filename passed to the /launch function is enclosed in quotes (eg, "cmd.exe" instead of cmd.exe), it passes the blacklist check: "My advice is: standardize the parameter string passed to /Launch before comparing with blacklist, a basic principle in secure coding."

Didier Stevens, who disclosed a proof of concept for this kind of original social engineering exploit, has shown that a registry entry can be edited (as per Adobe's instructions) to add .exe" to the list of blocked extensions to secure against Tung's workaround, but his testing also revealed that .exe"" should be blacklisted as well.

There's no indication from Adobe that it is taking Tung's advice about standardising the filename string.