ZDnet has an interesting post about the current 0-day flaw with Adobe Acrobat. The post is Adobe confirms PDF backdoor, offers unsupported workaround …
Adobe has fessed up to a dangerous code execution vulnerability affecting software programs installed on millions of Windows machines.
The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed. [1]
So how bad is it? Critical.
Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one.
The issue is quite critical given the fact that PDF documents are in the core of today’s modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. [4]
The workaround involves disabling the mailto: option in Acrobat, Acrobat 3D 8 and Adobe Reader by modifying the application options in the Windows registry.
To disable the mailto function you need to change |mailto:2| to |mailto:3|
For Acrobat Reader v8.0 this is done via;
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\
8.0\FeatureLockdown\cDefaultLaunchURLPerms]
“tSchemePerms”=”version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3
|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|
acrobat:2|mailto:3|file:1″
For Acrobat v8.0 this is done via;
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\
8.0\FeatureLockDown\cDefaultLaunchURLPermss]
“tSchemePerms”=”version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3
|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|
acrobat:2|mailto:3|file:1″
If you don’t want to play in the registry you’ll need to wait a bit …
We expect the update to be available before the end of October. [5]
Good luck.
[1] Adobe confirms PDF backdoor, offers unsupported workaround (2007-Oct-0 
[ZD Net]
[2] ‘High risk’ zero-day flaw haunts Adobe Acrobat, Reader (2007-Sep-20) [ZD Net]
[3] Adobe Confirms Unpatched PDF Backdoor (2007-Oct-0 [SlashDot]
[4] 0day: PDF pwns Windows (2007-Sep-20) [Gnucitizen]
[5] Workaround available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat (2007-Oct-05) [Adobe]
2 Responses to “Unpatched Acrobat PDF Backdoor”