A fully patched Adobe Reader and FoxIt Reader are currently capable of launching an executable embedded within a PDF while not making use of any vulnerability. Didier Stevens, a security researcher from Belgium, explained the exploit without publishing how to do it on his blog Monday. The trick doesn’t rely on Javascript, which has been the culprit in many of the recent Adobe Reader exploits.
With a little social engineering, the demo PDF is able to trick users into running the executable in Adobe Reader, while FoxIt doesn’t display any message or wait for confirmation.
I use a launch action triggered by the opening of my PoC PDF. With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction.
You can see what a loaded PDF looks like through this video that Mr. Stevens created:
His website also offers a simple demo PDF that you can download that will attempt to launch the Command Prompt through a PDF. (Note: You’ll only be able to see this demo on Windows machines because other OS’s won’t have a cmd.exe in the same path. According to several comments, the path can be adjusted for Mac and Linux systems though.) The issue was reported to Adobe’s Security team and we’ll have to wait and see if they have a response.
(Via Threatpost)