Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Adobe launch issue response/work around. - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Adobe launch issue response/work around.

 Late last month Didier discussed a POC relating to the /launch functionality in PDF files (http://isc.sans.org/diary.html?storyid=8545)

Adobe published a reply and a work around for this on their blog pages (http://blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html)

The article shows a few default settings that can be changed and a registry modification to reduce the risk of this type of attack.  Adobe is examining the issue and are deciding what to do.  They may make a fix available as part of their quarterly updates to the product.

Mark 

Mark

391 Posts
ISC Handler
The problem with the Adobe blog proposal is that it describes a *per user* setting.

Organizations will want to use policies, and Adobe Customization Wizard promises to handle this correctly by checking (under File Attachments):
[v] Prevent document from opening other files and launching other applications.

Note: instead of using Adobe Customization Wizard the same policy can be applied using administrative templates. An example of such a template can be found here: http://www.ervik.as/index.php/downloads?task=viewcategory&catid=5

However, this policy DOES NOT WORK in most cases!

Interestingly, if the user looks at the Trust Manager preferences, she will see that the checkbox "Allow opening of non-PDF file attachments with external applications" is *cleared* (and grayed); however, this does not necessarily block Launch actions...

Only after the particular user has at least *looked* at the Thrust Manager settings *and* subsequently pressed the OK button in the preferences dialogbox, Acrobat Reader creates the registry value "bAllowOpenFile"
(in HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals) and sets it to 0; only from that moment on the user will not be confronted with a dialogbox asking her "do you want to start malware.exe? [OK] [Cancel].

After submitting a report to Adobe's PSIRT regarding this issue on tuesday, yesterday I received a positive response from Adobe stating that "a bug was logged to resolve this inconsistency".

Conclusion: organizations may want to implement the strategy described in the Adobe blog, perhaps by creating the "bAllowOpenFile" from a logon script.
Erik van Straten

122 Posts
Hello,

Aside from this workaround in the adobe page, I hope adobe coordinated with big AV players like symantec, mc afee, sophos, etc to detect such launch in thier behavioral engine. Its hard to implement this workaround in a complex enterprise environment so at least Symantec can uniformly protect users.

I believe only Sophos created a signature on this behavior as of this writing. hopefully we can hear from other AV players as well
Erik van Straten
10 Posts
Hey thanks Bitwiper, from what you said I was able to get it working on all user accounts without needing them to open the menu and looking at the option.

What you do:
1. Load your installer in the customization wizard
2. Go the the registry settings
3. add a new key under hkey_curret_user\software\adobe\acrobat reader\ called "Originals"
4. under that key add a new DWORD value called "bAllowOpenFile"
5. leave the value as 0
6. Now go to the file types menu and deselect allow non-pdf files, it is the first option (I don't remb the exact name at the moment)
7. Save

You are now done, each user will now be safe from this. You will no longer have to go in and view the menu option to turn this setting on.

I joined just to say thanks and let you know what you help me do.

have a good one,

Ryan
Erik van Straten
1 Posts

Sign Up for Free or Log In to start participating in the conversation!