A new proof-of-concept exploit that takes advantage of a vulnerability in the way URIs (uniform resource identifier) – a compact string of characters that identify a resource- are handled in PDF files was released with a full disclosure [http://security.fedora-hosting.com/0day/pdf/pdf_poc.pdf].
Opening this PDF file also opens a New Message window
URI of the PDF file shown above
The vulnerability is caused when Adobe Acrobat passes the parameter received by the URI command to a ShellExecuteA API.
It affects the following Adobe products:
- Adobe Reader 8.1 and earlier versions
- Adobe Acrobat Standard, Professional and Elements 8.1 and earlier versions
- Adobe Acrobat 3D
As of this writing, there is still no patch available for the said vulnerability. However, exploits like this can be prevented from executing by modifying the following registry entry:
HKEY_LOCAL_MACHINESOFTWAREPoliciesAdobeAdobe Acrobat8.0 FeatureLockDowncDefaultLaunchURLPermstSchemePerms = version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:3|file:2
HKEY_LOCAL_MACHINESOFTWAREPoliciesAdobeAcrobat Reader8.0FeatureLockDowncDefaultLaunchURLPermstSchemePerms = version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:3|file:2
This vulnerability can be used by malicious programs to enter a target system through the automatic opening of URL and/or downloading malicious files over the internet.
More information is posted on Adobe security advisories Web site. [http://www.adobe.com/support/security/advisories/apsa07-04.html]
Additional information taken from http://www.heise-security.co.uk/news/96982.