Skip the navigation

Researcher warns of impending PDF attack wave

No-bug-required Reader flaw 'easy to reproduce,' says expert, expects money-stealing attacks soon

April 9, 2010 03:59 PM ET

Computerworld - A design flaw in Adobe's popular PDF format will quickly be exploited by hackers to install financial malware on users' computers, a security company argued today.

The bug, which is not strictly a security vulnerability but actually part of the PDF specification, was first disclosed by Belgium researcher Didier Stevens last week. Stevens demonstrated how a multistage attack using the PDF specification's "/Launch" function could successfully exploit a fully-patched copy of Adobe Reader.

Unlike other attacks based on rogue PDFs, Stevens' technique does not require an underlying vulnerability in Adobe's Reader or Acrobat, but instead relies on social engineering tactics to dupe users into opening a malicious PDF. In his demo, Stevens used a PDF document containing attack code that he was then able to execute using the /Launch function. Although Reader and Acrobat display a warning when an executable inside a PDF file is launched, Stevens found a way to partially modify the alert to further trick a potential victim into approving the action.

It will be easy for hackers to replicate Stevens' strategy, said Mickey Boodaei, CEO of security company Trusteer, best known for Rapport, a security service that helps online banks, brokerages, and retailers secure customers' desktops.

"Didier's information is very clear, very easy to reproduce, and the attack seems to be very effective," said Boodaei. Although Stevens did not release proof-of-concept attack code, Trusteer's engineers were easily able to duplicate his attack, including the modifications to Reader's and Acrobat's warnings.

Boodaei assumes that criminals will be able to replicate the attack -- within days, if they haven't already -- and believes that they will immediately add it to the already-in-place multi-exploit kits that they've hidden on compromised legitimate sites.

"All the infrastructure is in place," Boodaei said, citing the networks of hacked sites that criminals use to launch drive-by attacks, which typically try multiple exploits or attack vectors, in order to infect as many victims as possible. "This is just another vulnerability they can use," he said.

Adobe has acknowledged the bug, but has not yet committed to producing a patch to stymie attacks. However, the company has urged users to change Reader's and Acrobat's settings to disable the /Launch function.

In a blog post Tuesday, Adobe Reader group product manager Steve Gottwals recommended that consumers block attacks by unchecking a box marked "Allow opening of non-PDF file attachments with external applications" in the programs' preferences panes. By default, Reader and Acrobat have the box checked, meaning that the behavior Stevens exploited is allowed.

Gottwals also showed how enterprise IT administrators can force users' copies of Reader and Acrobat into the unchecked state by pushing a change to Windows' registry.

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!