Disguised PDF attack possible

A design flaw in Adobe’s popular PDF format which was published by Didier Stevens in first week of April can be used by hackers to install malwares on users’s computers.

Its a policy flaw and not a security vulnerablity in Adobe Reader that could cause this. Researcher demonstrated this attack using the PDF specification’s “/Launch” function which could exploit this policy flaw on a fully-patched Adobe Reader.

Today (Thursday) Adobe is expected to announce the patches it plans to deliver next week as a part of its quarterly security updates. Adobe has urged users to be careful while opening PDFs and has given a work around towards the “/Launch” design flaw and recommended to uncheck the setting of “Allow opening of non-PDF file attachments with external applications” in the programs’ preferences pane. This way user can avoid the possible attack.

Company provided more details on this on the their blog – “PDF “/Launch” Social Engineering Attack”.