Launching malicious content from PDFs

Filed Under: Malware, SophosLabs

Last week, Didier Stevens (an independent security researcher) wrote a blog about a security hole in PDFs. In it he described how to launch arbitrary files from within a PDF.

Following on from Didier's blog other researchers (Jeremy Conway and YunSoul [Note: Bablefish translation Korean to English]) have shown how to use this functionality to modify other PDFs (and so can be used to create malware).

So far SophosLabs have not seen any examples of malicious PDFs using this method however we would recommend that users consider disabling the ability to Launch other applications. For Acrobat Reader 9 this can be achieved by setting the following Registry under Windows.

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals

Name: bAllowOpenFile
Type: REG_DWORD
Data: 0

A fuller explanation is available via an Adobe blog entitled PDF "/Launch" Social Engineering Attack.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s