14 DAY TRIAL // A security researcher has found a method to block the workaround for Adobe's /Launch bug fix, disclosed last week. The bypass prevention involves modifying Adobe Reader's blocklist in the registry.
The /Launch bug refers to a shortcoming in Adobe Reader's implementation of the PDF /Launch action. This feature, which is part of the official specification, can be used to initiate the opening of non-PDF files from inside a PDF document.
At the beginning of April, a security researcher named Didier Stevens, revealed that the feature can be abused in Adobe Reader to launch very credible social engineering attacks that could lead to arbitrary code execution. His method was later picked up by hackers and actively used in attacks.
It took Adobe almost three months to address the issue, but a fix was eventually included in the Reader and Acrobat security update that shipped last week. Unfortunately, the users' joy did not last very long, because a security researcher from Vietnamese antivirus vendor Bkis revealed how the patch can be easily bypassed by encosing the file name in quotes.
Adobe subsequently announced that it is evaluating the bypass method and will take corrective measures if necessary. However, the Reader and Acrobat updates ship according to a quarterly schedule, with the next one not due until October 12, 2010. That is a very long time to wait with a bug like this already being exploited in the wild.
The good news is that after investigating the workaround, Mr. Stevens came up with a mitigation solution of his own. 'I did some research and discovered that Adobe implemented a blacklist of extensions for the launch action, but that the blacklisting functionality identifies the file type of "cmd.exe" as .exe", and not .exe,' the security researcher explains on his blog.
His fix for the bypass involves editing the tBuiltInPermList registry value from HKLM\SOFTWARE\Policies\Adobe\product\version\FeatureLockDown\cDefaultLaunchAttachmentPerms . This value contains a list of file extension definitions of the form .ext:3 separated by |, .
In order to block the quote bypass, a new value of .exe":3 must be added to this list. However, Stevens points out that double quotes, ""cmd.exe"" also bypasses the restriction, so .exe"":3 should also added to the list in the registry.
Fortunately, triple or quadruple quotes are not allowed by Adobe Reader. "But should there still be other valid characters to append to the extension, you can block them in the same way as I showed here, until Adobe fixes the blacklist functionality," the researcher advises.
You can follow the editor on Twitter @lconstantin