Adobe is warning users of its Adobe Acrobat and Reader PDF applications about a new attack that could potentially expose users to risk.
The attack leverages Adobe (NASDAQ:ADBE) Acrobat and Reader's ability to launch other content and applications.
Strictly speaking, the new attack vector isn't a flaw in Adobe's software but rather relies on social engineering to trick users into clicking on something they shouldn't, which could lead to arbitrary code execution. The company credits security researcher Didier Stevens for demonstrating the attack, which the U.S. Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT) also noted in an alert.
"When users open a PDF that contains a launch action, they are presented with a dialog box warning the user that a file and its viewer application are set to be launched by the PDF file," US-CERT stated in its warning." An attacker may be able to manipulate the content in the file name section of the dialog box in an attempt to convince users to open the file."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Adobe's Steve Gottwals said in a post on the Adobe Reader blog that both Reader and Acrobat include wording in the dialog box warning users to only open and execute the files from trusted sources.
He added that the default option is to not execute a file.
US-CERT, however, noted that Adobe Acrobat and Reader both provide the option to disable the warning message, enabling users to easily bypass the security mechanism.
"This is a good example of powerful functionality relied upon by some users that also carries potential risks when used incorrectly by others," Adobe's Gottwals said in his blog post.
Adobe is providing users with a way to mitigate the threat and better protect against a launch-related attack, by advising users to adjust their Trust Manager preferences to clear the check box, "Allow opening of non-PDF file attachments with external applications."
New Adobe malware threat
Beyond that step, Gottwals added that Adobe is researching ways of adjusting the launch functionality, which could result in an update that would come during a normal Adobe quarterly update cycle.
The news is the latest security threat targeting Adobe. The company's quarterly update mechanism itself has also recently come under attack, and security firm TrendMicro's TrendLabs division reported this week that it has identified a spoofing attack on Adobe update.
"This malware bears identical icons and version details to an Adobe update, which enables it to bypass antivirus software and system analysts, and to trick users into believing that it is legitimate," TrendLabs's Oscar Abendan blogged.