14 DAY TRIAL // Adobe has finally addressed a bug facilitating a social engineering attack that could trick users into executing malicious programs from inside PDF documents. The technique abused shortcomings in Adobe's implementation of the PDF specification's /Launch feature.
At the beginning of April, a Belgian researcher named Didier Stevens revealed that security mechanisms surrounding the /Launch action in Adobe Reader can be bypassed. His technique, dubbed "escape from PDF," could be used to instrument very credible social engineering attacks.
When encountering a /Launch event, Adobe Reader used to display a warning window notifying users that they were about to open a file that could be malicious. The dialog window had a content box, which normally should have displayed the name of file to be launched. By exploiting a bug, Stevens was able to alter the content of this file and insert any message into it, such as misleading instructions to confirm the action.
Later that month, on April 13, Adobe launched a scheduled security update for Adobe Reader and Acrobat, but failed to address this issue. That same day, antivirus vendors started issuing alerts that /Launch-based PDF attacks were spotted in the wild.
Fortunately, the bug was fixed in the Adobe Reader and Acrobat security update released yesterday, which addresses a total of seventeen critical vulnerabilities. "This update mitigates a social engineering attack that could lead to code execution (CVE-2010-1240)," the latest security bulletin reads.
The fix has been confirmed by Didier Stevens on his blog, who reports that "Not only is the dialog box fixed, but the /Launch action is also disabled by default." Attempting to open a file in this way will now display a warning reading "This file is set to be launched by this PDF file. This is currently disallowed by your system administrator." In addition, the field containing the name of the file to be executed can no longer be altered.