It's not unusual for bad actors to inject PDF files with malware. We were reminded of this just two months ago when HP Wolf Security warned in an article titled "PDF malware is not yet dead" of a
Snake keylogger campaign. To make matters worse, security researchers at Minerva Labs uncovered some weird behavior within Adobe's Acrobat Reader program that could leave users more at risk of threats hidden in PDF files.
To put it simply, Acrobat Reader is blocking dozens of popular
antivirus programs from examining PDF files for malware. The list includes Trend Micro, BitDefender, AVAST, F-Secure, McAfee, 360 Security, Citrix, Symantec, Morphisec, Malwarebytes, Checkpoint, Ahnlab, Cylance, Sophos, CyberArk, Citrix, BullGueard, Panda Security, Fortinet, Emsisoft, ESET, K7 TotalSecurity, Kaspersky, AVG, CMC Internet Security, Samsung Smart Security ESCORT, Moon Secure, NOD32, PC Matic, and SentryBay.
Part of the way
security programs work their mojo is by injecting Dynamic Link Libraries (DLLs) into applications. Over the past few months, however, Minerva says it has observed a gradual uptick in Acrobat Reader processes auditing which security product DLLs are loaded into it, and it struck the researchers as quite unusual.
"The outcome of Adobe blocking dll injections of security modules could potentially be catastrophic. When a security product is not injected into a process, this basically disables any visibility it may have on the process and hinders detection and prevention capabilities inside the process and inside every created child processes," Minerva says.
Why would Adobe do this? Acrobat Reader uses the Chromium Embedded Framework (CEF) library. In a
statement provided to the research team, Adobe explained that the Chromium-based engine has a restricted sandbox design and could cause stability issues with certain security tools.
"It would appear that Adobe has chosen an approach which solves an immediate compatibility issue, but could create new issues from a security perspective....This to us, is a prime example of a large enterprise company with a multi-million strong install-base prioritizing convenience and essentially inserting malware-like behavior into their software instead of working to actually solve the issue at hand," Minerva states.
Adobe did acknowledge to
Bleeping Computer that users have reported issues because of this approach. While the solution seems a bit shortsighted, the company also said it is working with affected security vendors to address the issue.