Adobe Investigates /Launch Fix Workaround

Adobe announced that it will investigate the /Launch bug fix circumvention method disclosed by a Vietnamese security researcher yesterday. Meanwhile, it points out that the feature's open file dialog has been completely modified to render arbitrary content insertion impossible.

The critical security updates for Adobe Reader and Acrobat which shipped earlier this week addressed various remote code execution vulnerabilities, including shortcomings in the PDF /Launch feature implementation, which allowed mounting credible social engineering attacks. This bug is identified as CVE-2010-1240 in the Commons Vulnerabilities and Exposures database and was discovered by a security researcher named Didier Stevens, earlier last month.

The /Launch option is described in the official PDF specification and can be used to launch external non-PDF files. Before the last Adobe Reader update, triggering this action from a PDF document generated an alert in the program, asking for confirmation from the user. However, Mr. Stevens found a way to insert arbitrary text into this dialog box, which could be leveraged to deceive the user into allowing the action to continue and possibly launch a malicious executable.

After the recent Adobe Reader update, Stevens confirmed the fix for this bug, pointing out that the /Launch action has been disabled by default. However, Le Manh Tung, a security researcher from Vietnamese antivirus vendor Bkis, demonstrated yesterday that by simply enclosing the file name in quotes that restriction is circumvented.

"We determined that disabling the ability to open non-PDF file attachments with external applications by default would negatively impact a significant part of our customer base by breaking existing workflows. As an alternative, we added attachment blacklist functionality to block attempts to launch executables or other harmful objects by default," explains Brad Arkin, Adobe's director of product security and privacy.

Mr. Arkin said the company is currently evaluating Le Manh Tung's workaround and is prepared to make additional changes to the blacklist if required. He also points out that open file dialog displayed when a /Launch action is triggered has been revamped. It now features three radio selection fields instead of text area, making the insertion of rogue instructions impossible.