Adobe PDF "/Launch" Social Engineering Attack to be patched on 4/13/2010
According to a security bulletin posted on Adobe.com, on April 13, 2010 they will be releasing updated version 9.3.2 of Adobe's PDF Reader and Acrobat PDF encoder software, for Windows, Mac and Linux/Unix operating systems. This is a critical update that will correct a feature that has been demonstrated to be an attack vector that can be used by criminal exploiters. There is also going to be an update from version 8.2.1 to v 8.2.2 for Windows and Macintosh platforms using that version.
If you have installed Adobe Acrobat or Reader 9.3.1 and chosen to set the preferences to automatically check for and apply updates, you should receive the new version when it is released in your timezone, on April 13, 2010. If you haven't set that preference, you can do so now, by following these steps...
Open Adobe Reader 9.x. Click on Edit. Scroll down to the bottom of the flyout options and click on "Preferences." When the Preferences box opens go to the last entry on the left, labeled "Updater" and click on it. In the left options select "Automatically install updates." Click OK to save your changes.
If you cannot allow the automatic updater to be enabled, due to company policy or paranoia, you should check for updates manually, by opening Reader or Acrobat, then go to the "Help" menu item, then click on the flyout option "Check for Updates." You must have Administrator privileges to check for updates, or to alter the automatic updater preferences.
The feature that is being patched on April 13 is a command known as "/Launch /Action" - which has been a part of Adobe' Reader and Acrobat for a long long time. Adobe's Reader and Acrobat are able to open or launch embedded and external applications by using this function, but they first display a dialog box requesting the user's permission. The wording inside the dialog box can be set by the author of the PDF file in question. This would allow a criminal or hacker to craft words designed to fool users into thinking that they were doing the right thing by opening an application or executable that may be embedded within the PDF package. This could be accomplished by social engineering tactics, such as are already used successfully in various Phishing attacks. They could make a PDF document look like a message from your bank or loan company, with authentic logos, then present the Open dialog box with wording to the effect that you must click Open to submit the enclosed form. You could be fooled into installing a keylogger, or Bot malware on your PC, just like that.
As was demonstrated by researcher Didier Stevens, on March 29, 2010, if a user receives such a specially crafted PDF file and is tricked into allowing the Launch action to take place, their computer could become infected with an embedded virus, or malware downloader, or the default browser could be opened to a URL where malware attacks could be launched. Furthermore, another proof of concept exploit has been demonstrated showing the this attack could be used to infect other clean PDF files on that computer, turning the original malware laden PDF file into a replicating Worm.
If you don't want to wait for Adobe's patch to be released on April 13, you can manually disable the feature that allows the exploit to occur. Just open the Adobe Reader or Acrobat Preferences (under Edit), find the left sidebar option labeled "Trust Manager" and click on it. When the Trust Manager options load, uncheck the top option labeled: "Allow opening of non-PDF file attachments with external applications." Click OK and you are protected from this particular exploit vector.
While the Reader/Acrobat Preferences are still open, consider disabling JavaScript (under "JavaScript") and/or displaying of PDF documents in Web browsers (under "Internet"). That fixes two other attack vectors already in use by malware authors. If you find that you need JavaScript to fill in forms or read certain documents, just re-enable it as needed.
You can really reduce your computer's likelihood of becoming infected by operating with non-Administrator rights. If you use Windows XP Home you can demote your account to Limited User, while XP Professional users can become Power Users. Vista and Windows 7 has a new account type called Standard User and that is what you should use for your every day operation. You should read my recent post explaining how 90% of critical Windows vulnerabilities can be mitigated by removing Admin rights from an account.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.