From the “what the hell were they thinking department comes this story about security researchers discovering that Adobe Acrobat is trying to block security software from having visibility into the PDF files it opens via blocking what are called DLL injections. Which if you guess that this creates a security risk for the users, you get a gold star:
The outcome of Adobe blocking dll injections of security modules could potentially be catastrophic. When a security product is not injected into a process, this basically disables any visibility it may have on the process and hinders detection and prevention capabilities inside the process and inside every created child processes. Actions performed by the Adobe processes and processes created by it would essentially be much harder to monitor, as will be determining context. It would be easy enough for a threat actor to add a command in the ‘OpenAction’ section of a pdf, which can then execute PowerShell, which could for example, download the next stage malware and execute it reflectively. Any of these actions would not be detected if the security product hooks are missing.
We contacted Adobe for comment, and they answered that this is due to “incompatibility with Adobe Acrobat’s usage of CEF, a Chromium based engine with a restricted sandbox design, and may cause stability issues”
Now Adobe claims to be working with anti-virus vendors to address this. But the fact that we are even having this discussion in 2022 is mind blowing. Because virus payloads via PDF files have been a thing among threat actors for years. And Adobe has effectively created a scenario for however long it lasts where threat actors can launch attacks on a massive scale.
Adobe gets a #EpicFail for this one.
Like this:
Like Loading...
Related
This entry was posted on June 23, 2022 at 8:29 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Adobe Acrobat Blocks Anti-Virus Tools From Scanning PDFs…. WTF?
From the “what the hell were they thinking department comes this story about security researchers discovering that Adobe Acrobat is trying to block security software from having visibility into the PDF files it opens via blocking what are called DLL injections. Which if you guess that this creates a security risk for the users, you get a gold star:
The outcome of Adobe blocking dll injections of security modules could potentially be catastrophic. When a security product is not injected into a process, this basically disables any visibility it may have on the process and hinders detection and prevention capabilities inside the process and inside every created child processes. Actions performed by the Adobe processes and processes created by it would essentially be much harder to monitor, as will be determining context. It would be easy enough for a threat actor to add a command in the ‘OpenAction’ section of a pdf, which can then execute PowerShell, which could for example, download the next stage malware and execute it reflectively. Any of these actions would not be detected if the security product hooks are missing.
We contacted Adobe for comment, and they answered that this is due to “incompatibility with Adobe Acrobat’s usage of CEF, a Chromium based engine with a restricted sandbox design, and may cause stability issues”
Now Adobe claims to be working with anti-virus vendors to address this. But the fact that we are even having this discussion in 2022 is mind blowing. Because virus payloads via PDF files have been a thing among threat actors for years. And Adobe has effectively created a scenario for however long it lasts where threat actors can launch attacks on a massive scale.
Adobe gets a #EpicFail for this one.
Share this:
Like this:
Related
This entry was posted on June 23, 2022 at 8:29 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.