If you’ve been sleeping on the Adobe Acrobat and Reader /Launch vulnerability, its time to consider taking mitigating steps.
The proof of concept presented by Didier Stevens uses the /launch functionality that is part of the specification for PDF in order to execute arbitrary code.
Because this was a problem with the PDF specification, the problem effects multiple vendors. I had recently read F-Secure call for Microsoft to natively support the PDF/A format. PDF/A is a cut down version of the PDF standard. It specifically doesn’t allow file launches so by default it would be safe from this sort of attack. The problem I see is it does not support PDF encryption. You need that critical mass of people able to read PDF encrypted documents in order to be able to use PDF encryption.
Its time to step up and apply the mitigation listed by Adobe in the Adobe Reader Blog
For consumers, open up the Preferences panel and click on “Trust Manager” in the left pane. Clear the check box “Allow opening of non-PDF file attachments with external applications”.
For administrators who wish to accomplish this with a registry setting on Windows, add the following DWORD value to:
Furthermore, an administrator can grey out the preference to keep end-users from turning this capability on, by adding the following DWORD value to: HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals
Note: These samples assumed you were adding registry settings to Adobe Reader 9. For Adobe Acrobat, you would replace “Acrobat Reader” with “Adobe Acrobat”, and for a different version, you would substitute its value for “9.0”.
The Adobe blog entry also lists a registry change to gray out the setting so the user can’t change it back if you’d like to do that.