Update on Functionality Changes in Adobe Reader/Acrobat 9.3.3 in Response to PDF “/Launch” Social Engineering Attack

As part of the June 29, 2010 quarterly update for Adobe Reader and Acrobat, Adobe made changes to address a PDF “/launch” functionality social engineering attack demonstrated by security researcher Didier Stevens. This particular attack was not the result of exploiting a code vulnerability but instead relied on functionality defined in the PDF specification, which is an ISO standard (ISO PDF 32000-1:2008; section 12.6.4.5 of the specification defines the /launch command).
Since Didier Stevens’ initial post, we evaluated the best long-term approach for this functionality in Adobe Reader and Adobe Acrobat. The objective has been to allow end-users and administrators to better manage and configure features like this one to mitigate potential associated risks—while ensuring the impact on existing workflows customers rely on are minimized.
We determined that disabling the ability to open non-PDF file attachments with external applications by default would negatively impact a significant part of our customer base by breaking existing workflows. As an alternative, we added attachment blacklist functionality to block attempts to launch executables or other harmful objects by default.
When the user attempts to open an executable or other blacklisted file type, the following error message appears:
AcrobatLaunchError.jpg
This capability can be re-enabled, i.e. for organizations that rely on this capability.
While blacklist capabilities alone are not a perfect solution to defend against those with malicious intent (as highlighted by Le Manh Tung in a recent blog post), this option reduces the risk of attack, while minimizing the impact on customers relying on workflows that depend on the launch functionality. We will evaluate this workaround to determine whether additional changes to the blacklist are required.
As part of our defense in depth approach, we also altered the way the warning dialog (requesting user permission to launch non-PDF file attachments with external applications) works, further reducing the risk of the social engineering attack demonstrated by Didier Stevens. Previously, an attacker could have inserted instructions to the user into the warning dialog box. The release of Adobe Reader and Acrobat 9.3.3 and 8.2.3 addresses this dialog box manipulation technique. An example of the new dialog box is shown below:
AcrobatLaunchOpen.jpg
In the event of an attacker working around the blacklist functionality and attempting the execution of a malicious executable or other harmful object, the attachment will not execute without first displaying the warning message requesting user permission to launch the attachment. The warning message provided includes strong wording advising users to only open and execute the file if it comes from a trusted source.
Administrators can also edit the default attachment blacklist in Adobe Reader and Acrobat 9.3.3 and 8.2.3 via the registry setting on Windows. For further information on editing the attachment blacklist, visit http://learn.adobe.com/wiki/download/attachments/64389123/Acrobat_Attachments.pdf?version=1.