PDF Launch Vulnerability

If you’ve been sleeping on the Adobe Acrobat and Reader /Launch vulnerability, its time to consider taking mitigating steps.
The proof of concept presented by Didier Stevens uses the /launch functionality that is part of the specification for PDF in order to execute arbitrary code.
Because this was a problem with the PDF specification, the problem effects multiple vendors. I had recently read F-Secure call for Microsoft to natively support the PDF/A format. PDF/A is a cut down version of the PDF standard. It specifically doesn’t allow file launches so by default it would be safe from this sort of attack. The problem I see is it does not support PDF encryption. You need that critical mass of people able to read PDF encrypted documents in order to be able to use PDF encryption.
Until last week, the attacks using the /launch functionality were also using JavaScript in the PDF. So if you had disabled JavaScript in Adobe, the user would now have to ignore a LOT of warnings in order to be attacked. Now an attack is in circulation that uses the /launch functionality without using JavaScript.
Its time to step up and apply the mitigation listed by Adobe in the Adobe Reader Blog

For consumers, open up the Preferences panel and click on “Trust Manager” in the left pane. Clear the check box “Allow opening of non-PDF file attachments with external applications”.

For administrators who wish to accomplish this with a registry setting on Windows, add the following DWORD value to:
HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals
Name: bAllowOpenFile
Type: REG_DWORD
Data: 0
Furthermore, an administrator can grey out the preference to keep end-users from turning this capability on, by adding the following DWORD value to: HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals
Name: bSecureOpenFile
Type: REG_DWORD
Data: 1
Note: These samples assumed you were adding registry settings to Adobe Reader 9. For Adobe Acrobat, you would replace “Acrobat Reader” with “Adobe Acrobat”, and for a different version, you would substitute its value for “9.0″.

.
The Adobe blog entry also lists a registry change to gray out the setting so the user can’t change it back if you’d like to do that.
Here’s a link to the ADM file I’m using to disable the /launch and javascript functionality in Adobe Reader and Adobe Acrobat. Make sure you test before using in a production environment.
adobe.adm

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>