Launching malicious content from PDFs

Last week, Didier Stevens (an independent security researcher) wrote a blog about a security hole in PDFs. In it he described how to launch arbitrary files from within a PDF.

Following on from Didier’s blog other researchers (Jeremy Conway and YunSoul [Note: Bablefish translation Korean to English]) have shown how to use this functionality to modify other PDFs (and so can be used to create malware).

So far SophosLabs have not seen any examples of malicious PDFs using this method however we would recommend that users consider disabling the ability to Launch other applications. For Acrobat Reader 9 this can be achieved by setting the following Registry under Windows.

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals

Name: bAllowOpenFile
Data: 0

A fuller explanation is available via an Adobe blog entitled PDF “/Launch” Social Engineering Attack.