Adobe Reader Fix for /Launch Bug is Broken

Adobe's fix for the Reader /Launch action social engineering bug, that has already been exploited in malicious attacks, is inadequate. Security researchers from Bkis have released proof-of-concept code demonstrating that it can easily be circumvented.

Two days ago Adobe released important security updates for its Reader and Acrobat products, addressing many critical security vulnerabilities. Amongst these was CVE-2010-1240, a bug in the /Launch action implementation, which allows attackers to mount very credible social engineering attacks possibly resulting in the execution of malicious code.

The /Launch action is part of the PDF specification and is meant to be used for opening other files from inside PDF documents. The default settings in Adobe Reader prevented the launching of binary files in this way, but using some creative hacking, Didier Stevens, an IT consultant and security researcher from Belgium, managed to bypass this restriction.

Soon after Mr. Stevens' disclosure, several antivirus vendors like Sophos and Bkis, reported that his technique was spotted in the wild in targeted attacks. Unfortunately, Adobe didn't have time to address the problem its April scheduled security update and the bug remained active until two days ago, when a fix was finally announced.

At first, Didier Stevens confirmed the fix and noted on his blog that the /Launch action is now disabled by default in Adobe Reader. However, in a post on the official Bkis blog, Le Manh Tung, a senior security researcher with the company, disagrees.

"Adobe Reader version 9.3.3 has fixed the fake warning massage, but the threat of exploit code execution still remains," he claims. He demonstrates how Adobe's restriction can be bypassed by simply enclosing the name of the executable file to be launched within quotes, for example "cmd.exe" instead of cmd.exe.

"Awesome," exclaimed Didier Stevens on Twitter, after seeing Le Manh Tung's circumvention method. "I assume they compare /Launch argument with cmd.exe, but don't canonicalize before compare. Secure coding 101," he wrote in a later message.