RSSAdobe Acknowledges Flaw in PDF for Windows, Urges Registry Hacks
By Scott M. Fulton, III | Published October 9, 2007, 12:10 PM
Confirming a statement made by Petko D. Petkov on his GNUcitizen.org blog over two weeks ago, almost in passing, Adobe has released a security advisory warning of a potential exploitable flaw in its Acrobat and Adobe Reader software. While Petkov has never made the exploit itself public, Adobe's suggested system registry fix suggests a maliciously crafted PDF can be made to send e-mail undetected.
Instructions posted to Adobe's security site tell Acrobat and Adobe Reader users where they should edit a particular entry in the Windows System Registry. That entry contains a list of protocol identifier stubs that PDF files may typically find embedded. There, users will find a long string terminated by zero (REG_SZ), which lists several URI stubs followed by digits evidently denoting how the PDF handler should process them.
As the instructions state, changing the digit attributed to mailto: from 2 to 3 disables processing of URLs embedded in a PDF file that contain mailing links, while deleting that portion of the entry altogether forces Acrobat to show a prompt asking the reader what to do with the link. Whether this latter option disables a PDF document from sending a specific e-mail without the user's permission is unclear.
The figure above shows Registry Editor being used to edit the Windows System Registry as suggested by Adobe. The company said it plans to issue a permanent fix for this problem as an engineering update before the end of October. In the meantime, it's advising Windows customers to edit their registry manually - which, as any system admin knows, is a dangerous proposition.
Though Adobe did not say so explicitly, the fact that the problem Petkov discovered can be thwarted by disabling handling of the mailto: resource identifier, clearly suggests PDFs can send mail in the background without user intervention.
What's unknown at this time is whether a specific e-mail client must be relied upon for such stealth functionality to work. In other words, does Microsoft Outlook pass the mail through undetected, or does Outlook or any specific client play a role here?
Unusually, Petkov himself has posted no public comment about Adobe's acknowledgement today, though Adobe does credit him with the discovery of the vulnerability.
also in the same area is a "cDefaultLaunchAttachmentPerms" and under that is a .bat (batch file)
surely this is also a threat ?
personally I dont want PDFs to launch anything
Score: 0
|why dont they supply a registry file to download ?!
Score: 0
|Because the key you edit contains other user-changeable preferences. Credit Adobe for storing this all in one key.
Score: 0
|Hmm. I'm shuddering with trepidation, but I can't decide if I'm more worried about this security flaw or the idea of my elderly mother and her best friend poking around in her registry. In fact, the more I think about this, I think I'd prefer the flaw because it can't call me at 6 A.M. to report that there is a "blue screen of death" loading when she tries to start her computer. As is often the case, this issue will impact those with the least amount of technical knowledge most heavily, and the fix could cause more problems than it solves in this group of users. I think this position is irresponsible on the part of Adobe since an update like this should be made automatic in their software. They've had two weeks, and that's long enough to script an update to change a registry value. Oh well. Maybe Mom will make some cherry pie when I come over to fix her machine. Come to think of it, Adobe loses on this one since my mom makes the best cherry pie. :P
Score: 0
|Yeah she does!
Score: 0
|"In the meantime, it's advising Windows customers to edit their registry manually - which, as any system admin knows, is a dangerous proposition."
The registry is edited, read from, and manipulated thousands of times a session without issues. It's when apps that "tweak" it are let loose on the thing it falls apart.
Score: 0
|Or people that do not know what they are doing.
Score: 0
|I use Adobe Acrobat 5.0 and its not a problem in there. I looked at all the acrobat entries and it just didnt have any such setting. and they are not in policies in version 5. So I think this is limited to the bloated slow loading versions of adobe acrobat reader...
I just do not get the reason Adobe destroyed a perfect rpoduct and added all that DRM garbage to it. I can read anything with 5.0 and its very fast loading. The print to PDF feature makes pdf creation easy and effecient. Anymore people use 3rd party PDF tools to make their PDF instead of Acrobat because those 3rd party tools are so fast. Acrobat 5.0 is as well. so I am assuming anything higher is slow because of all the DRM and policy managment garbage in those versions...
Score: 0
|It's actually unclear which versions are affected. It says 8.1 or earlier. Do they mean earlier versions of 8, or all earlier versions of the programs listed? I'm assuming this only applies to version 8.x, but that's not what it says.
Score: 0
|If by "earlier versions", the mean all before and including 8, then this vulnerability has been out since the beginning of time.
Score: 0
|matt2971: Foxit is a great alternative for casual PDF browsers, but do realize that for professionals who use PDFs for large brochures at high DPI, Adobe Reader does actually perform better and render the PDFs properly.
I'm a huge advocate for Foxit's success, but I still don't believe that it is time for Foxit to take on Adobe head to head as a full replacement.
Score: 0
|Why doesn't Microsoft buy Foxit software already, and bundle it with Windows?
So many hours of my life, wasted, installing Adobe Reader.
Score: 0
|Uh, because Microsoft is absolutely petrified to bundle ANYTHING with windows anymore that might harm competitors?
Score: 0
|You got that right. As soon as they did, someone, meaning many, would be screaming "monopoly" again. Then the EU would want them to unbundle it, so the european community can load Adobe on it.
**Edit**
Then again, maybe the EU should go after Adobe.
Score: 0
|Er, one word: Foxit.
Score: 0
|