It’s common for dangerous actors to inject PDF recordsdata with malware. We had been reminded of this simply two months in the past when HP Wolf Security warned in an article titled “PDF malware is not yet dead” of a Snake keylogger marketing campaign. To make issues worse, safety researchers at Minerva Labs uncovered some bizarre conduct inside Adobe’s Acrobat Reader program that would depart customers extra liable to threats hidden in PDF recordsdata.
To put it merely, Acrobat Reader is obstructing dozens of well-liked antivirus applications from inspecting PDF recordsdata for malware. The checklist contains Trend Micro, BitDefender, AVAST, F-Secure, McAfee, 360 Security, Citrix, Symantec, Morphisec, Malwarebytes, Checkpoint, Ahnlab, Cylance, Sophos, CyberArk, Citrix, BullGueard, Panda Security, Fortinet, Emsisoft, ESET, K7 TotalSecurity, Kaspersky, AVG, CMC Internet Security, Samsung Smart Security ESCORT, Moon Secure, NOD32, PC Matic, and SentryBay.
Part of the way in which safety applications work their mojo is by injecting Dynamic Link Libraries (DLLs) into purposes. Over the previous few months, nonetheless, Minerva says it has noticed a gradual uptick in Acrobat Reader processes auditing which safety product DLLs are loaded into it, and it struck the researchers as fairly uncommon.
“The outcome of Adobe blocking dll injections of security modules could potentially be catastrophic. When a security product is not injected into a process, this basically disables any visibility it may have on the process and hinders detection and prevention capabilities inside the process and inside every created child processes,” Minerva says.
Why would Adobe do that? Acrobat Reader makes use of the Chromium Embedded Framework (CEF) library. In a press release offered to the analysis crew, Adobe defined that the Chromium-based engine has a restricted sandbox design and will trigger stability points with sure safety instruments.
“It would appear that Adobe has chosen an approach which solves an immediate compatibility issue, but could create new issues from a security perspective….This to us, is a prime example of a large enterprise company with a multi-million strong install-base prioritizing convenience and essentially inserting malware-like behavior into their software instead of working to actually solve the issue at hand,” Minerva states.
Adobe did acknowledge to Bleeping Computer that customers have reported points due to this strategy. While the answer appears a bit shortsighted, the corporate additionally stated it’s working with affected safety distributors to deal with the problem.