Security researcher Didier Stevens demonstrated last week how it was possible to execute an embedded executable without exploiting any vulnerability. For this he used launch action triggered by the opening of specially crafted PDF file. Adobe Reader shows user a warning asking for permission to launch the action. Still the message could be partially modified to make user allow the action launch. Foxit Reader didn't display any warning letting the action be executed without user interaction.
Both Adobe and Foxit Software have reacted to this finding.
A few days after Stevens' finding, Foxit Software released a new version to fix the vulnerability. Yesterday Adobe published in their blog instructions for Adobe Reader and Acrobat users to mitigate risks. They also said that Adobe is currently researching the best approach for the functionality in Adobe Reader and Acrobat which may be made available in one of their quarterly released updates.
Instructions to mitigate the issue in Adobe Reader and Acrobat:
1. Open up the Preferences panel
2. Click on "Trust Manager" in the left pane.
3. Clear the check box "Allow opening of non-PDF file attachments with external applications".
There is also registry related solution available for administrators in the correspondent entry in Adobe's blog.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment