Critical PDF Reader Patch Fixes '/Launch' Command Attack Vector

2010-06-29T17:58:28
ID THREATPOST:4A552C91F8B1A9D79BE532C51B4CC78A
Type threatpost
Reporter Ryan Naraine
Modified 2018-08-15T12:29:07

Description

Adobe today shipped a critical Reader/Acrobat patch to cover a total of 17 documented vulnerabilities that expose Windows, Mac and UNIX users to malicious hacker attacks.

The update, which affects Adobe Reader/Acrobat 9.3.2 (and earlier versions), includes a fix for the outstanding PDF “/Launch” functionality social engineering attack vector that was disclosed by researcher Didier Stevens.

As previously reported, Didier created a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file.

According to Adobe, the newest version includes changes to resolve the misuse of this command.

We added functionality to block any attempts to launch an executable or other harmful objects by default. We also altered the way the existing warning dialog works to thwart the known social engineering attacks.

More information on the security-related improvements in this update can be found in this Adobe blog post.