Researcher warns of impending PDF attack wave

No-bug-required Reader flaw 'easy to reproduce,' says expert, expects money-stealing attacks soon

A design flaw in Adobe's popular PDF format will quickly be exploited by hackers to install financial malware on users' computers, a security company argued today.

The bug, which is not strictly a security vulnerability but actually part of the PDF specification, was first disclosed by Belgium researcher Didier Stevens last week. Stevens demonstrated how a multistage attack using the PDF specification's "/Launch" function could successfully exploit a fully-patched copy of Adobe Reader.

Unlike other attacks based on rogue PDFs, Stevens' technique does not require an underlying vulnerability in Adobe's Reader or Acrobat, but instead relies on social engineering tactics to dupe users into opening a malicious PDF. In his demo, Stevens used a PDF document containing attack code that he was then able to execute using the /Launch function. Although Reader and Acrobat display a warning when an executable inside a PDF file is launched, Stevens found a way to partially modify the alert to further trick a potential victim into approving the action.

It will be easy for hackers to replicate Stevens' strategy, said Mickey Boodaei, CEO of security company Trusteer, best known for Rapport, a security service that helps online banks, brokerages, and retailers secure customers' desktops.

"Didier's information is very clear, very easy to reproduce, and the attack seems to be very effective," said Boodaei. Although Stevens did not release proof-of-concept attack code, Trusteer's engineers were easily able to duplicate his attack, including the modifications to Reader's and Acrobat's warnings.

Boodaei assumes that criminals will be able to replicate the attack -- within days, if they haven't already -- and believes that they will immediately add it to the already-in-place multi-exploit kits that they've hidden on compromised legitimate sites.

"All the infrastructure is in place," Boodaei said, citing the networks of hacked sites that criminals use to launch drive-by attacks, which typically try multiple exploits or attack vectors, in order to infect as many victims as possible. "This is just another vulnerability they can use," he said.

Adobe has acknowledged the bug, but has not yet committed to producing a patch to stymie attacks. However, the company has urged users to change Reader's and Acrobat's settings to disable the /Launch function.

In a blog post Tuesday, Adobe Reader group product manager Steve Gottwals recommended that consumers block attacks by unchecking a box marked "Allow opening of non-PDF file attachments with external applications" in the programs' preferences panes. By default, Reader and Acrobat have the box checked, meaning that the behavior Stevens exploited is allowed.

Gottwals also showed how enterprise IT administrators can force users' copies of Reader and Acrobat into the unchecked state by pushing a change to Windows' registry.

On Thursday, another Adobe executive said Adobe is considering several options to plug the hole, among them an update to Reader and Acrobat that would change the default state of the setting to off. "We're still evaluating," said Brad Arkin, Adobe's director for product security and privacy in an interview yesterday. "The biggest thing is to make sure that any changes we do don't impact all the ways that people use the software today."

Adobe has used the same explanation when it has said it will not strip JavaScript functionality from PDF documents; over the last year, hackers have frequently exploited vulnerabilities in Reader's and Acrobat's implementation of that scripting language.

"I think Adobe should act quickly," said Boodaei, who then admitted that's unlikely. "Because of the huge distribution of their software, nearly 100% in some cases, they have to go through very extensive testing before releasing any fix to make sure it doesn't break the functionality."

Boodaei's bet? "I'm guessing that it will take them some time, unless they see an increase in attacks," he said.

And those attacks are coming. "We are seeing an increase in the sophistication of social engineered attacks. They're becoming more and more common, especially in financially-motivated attacks, whether on financial institutions or consumers," Boodaei said.

He wasn't optimistic about the ability of consumers to ward off the impending attacks. "For enterprises, it's probably easier, since security administrators can evaluate the threat on their networks and push out [Adobe's workaround] through a centralized system. But consumers will find it harder," said Boodaei.

"First, very small numbers of users will even hear about this, and of those that do, I'm not sure they'll understand what they need to do," he added.

Adobe has announced it will update Reader and Acrobat on Tuesday, April 13, to patch an unspecified number of security vulnerabilities. But a fix for Stevens' attack approach won't be included in the collection, Arkin confirmed yesterday.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies