It has been more than two months since the vulnerability in PDF’s /Launch Function was reported by Didier Stevens, and there have been 2 malwares exploiting this function’s vulnerability to widely spread.
Adobe has issued its security patches four times (in April, May and June, 2010), but /Launch Function’s vulnerability has not been fixed yet.
So what will happen if new malwares exploiting this function’s vulnerability to attack Acrobat Reader’s users continue to emerge?
Adobe has become too dangerous to use!
Why hasn’t Adobe fixed this vulnerability?
On April 06, before the malware spread, Adobe explained in its blog that: "The warning message provided in Adobe Reader and Acrobat includes strong wording advising users to only open and execute the file if it comes from a trusted source. Furthermore, the default option within the dialog is to not execute".
So, Adobe assumes that its warning messages are strong enough to prevent users from running malicious files.
Nevertheless, it is obvious that this warning message can be faked. Thus, users will follow the "advice" to open .pdf files placed right in Adobe’s warning box, and its warning purpose as originally designed becomes meaningless. Users generally tend to read the text box’s words rather than the warning label above.
In fact, we have carried out a small experiment among 15 computer-fluent users. Up to 12 of them still opened .pdf files that exploit /Launch Function’s vulnerability and fake message.
This obviously shows the irresponsibility in Adobe’s argument in their blog. They are supposed to know that such warnings are meaningless. There are still numerous users opening files in spite of the warning (because the warning’s content has been faked).
Once the message is faked, Adobe cannot argue that they have provided users with adequate warnings, and then it is not user’s fault to open the buggy PDF files.
It is similar to the following story: There is a warning board, its icon warns of danger ahead. However, the text message on this warning board still says: Go this way. So, upon seeing this warning board, how many travellers would stop and how many would keep on going?
To timely prevent the attacks exploiting /Launch Function’s vulnerability, all AVs are supposed to update the malware’s latest signatures, and users should take due caution upon opening a .pdf file. However, to solve this issue completely, apparently, Adobe itself needs to take action to protect the users.
We strongly recommend Adobe fix this vulnerability as soon as possible.