A flaw in Adobe Reader that was patched last week is still exploitable.
Le Manh Tung, senior security researcher at Vietnamese internet security company Bkis, claimed ‘that the patch is not working properly'.
He said that when the patch is added normally it seems to be working, but when he modified the exploit code, specifically by adding quotes to the parameters passed to /F so that /F(cmd.exe) becomes /F(“cmd.exe”), the filename is changed and Adobe Reader will not block the execution.
This, he warned, would allow cmd.exe to be executed after a user opened it. He said: “So, Adobe Reader version 9.3.3 has fixed the fake warning message, but the threat of exploit code execution still remains.
Responding, Brad Arkin, Adobe's director of product security and privacy, said that while blacklist capabilities alone are not a perfect solution to defend against those with malicious intent, this option reduces the risk of attack, while minimising the impact on customers relying on workflows that depend on the launch functionality.
He said: “We will evaluate this workaround to determine whether additional changes to the blacklist are required. As part of our defence-in-depth approach, we also altered the way the warning dialogue (requesting user permission to launch non-PDF file attachments with external applications) works, further reducing the risk of the social engineering attack demonstrated by Didier Stevens.
“Previously, an attacker could have inserted instructions to the user into the warning dialogue box. The release of Adobe Reader and Acrobat 9.3.3 and 8.2.3 addresses this dialogue box manipulation technique.
“In the event of an attacker working around the blacklist functionality and attempting the execution of a malicious executable or other harmful object, the attachment will not execute without first displaying the warning message requesting user permission to launch the attachment. The warning message provided includes strong wording advising users to only open and execute the file if it comes from a trusted source.”
Tung also commented that it takes Adobe three months to release a patch, which he believes is too long. Adobe commented that the next quarterly update is scheduled for 12th October 2010.