Security researchers have discovered that Adobe Acrobat is trying to prevent security software from viewing PDF files it opens, which may pose a security risk to users. Adobe's products are checking 30 mainstream security products on the market. Once components of these security products are detected in the process, they will try to block them. This also means that Adobe prevents security products from monitoring malicious activities.
PDF files have been abused in the past to execute malware on systems. Researchers at cybersecurity firm Minerva Labs explained that one method is to add a command in the "OpenAction" section of the document to run a PowerShell command for malicious activity. "Since March 2022, we have seen an increase in Adobe Acrobat Reader processes attempting to query which security product DLLs are loaded by obtaining a handle to the DLL,"
Minerva Labs said.
According to a report this week, the list has grown to include 30 DLLs for security products from various vendors. The more popular ones among consumers are Bitdefender, Avast, Trend Micro , Symantec , Malwarebytes, ESET, Kaspersky , F-Secure, Sophos, and EMSIsoft.
列表如下:
Trend Micro
BitDefender
AVAST
F-Secure
McAfee
360 Security
Citrix
Symantec
Morphisec
Malwarebytes
Checkpoint
Ahnlab
Cylance
Sophos
CyberArk
Citrix
BullGuard
Panda Security
Fortinet
Emsisoft
ESET
K7 TotalSecurity
Kaspersky
AVG
CMC Internet Security
Samsung Smart Security ESCORT
Moon Secure
NOD32
PC Matic
SentryBay
查询系统是通过“libcef.dll”完成的,这是一个被各种程序使用的Chromium Embedded Framework (CEF) 动态链接Library. While the Chromium DLL comes with a short list of components that are blacklisted because they cause conflicts, vendors using it can modify it and add any DLL they want.
researchers explain that "libcef.dll is loaded by two Adobe processes: AcroCEF.exe and RdrCEF.exe," so both products are checking the system for components of the same security product.
Taking a closer look at what happens with DLLs injected into the Adobe process, Minerva Labs discovered that Adobe checks to see if the bBlockDllInjection value under the registry key "SOFTWARE\Adobe\Adobe Acrobat\DC\DLLInjection\" is set to 1. If so, it will prevent the antivirus software's DLL from being injected into the process.
According to Minerva Labs researcher Natalie Zargarov, the default value of the registry key is set to "1" - indicating active blocking. This setting may depend on the operating system or version of Adobe Acrobat installed, as well as other variables on your system.
Adobe confirmed in a reply to BleepingComputer that users have reported issues due to incompatibilities between the DLL components of certain security products and Adobe Acrobat's use of the CEF library.
Adobe said: "We are aware of reports that certain DLLs in security tools are incompatible with Adobe Acrobat's use of CEF, a Chromium-based engine with a restricted sandbox design and may cause stability issues." .
The company added that it is currently working with these vendors to resolve the issue and "ensure correct functionality of Acrobat's CEF sandbox design in the future.""Minerva Labs researchers believe that the solution chosen by Adobe resolves compatibility issues but introduces a real risk of attack by preventing security software from protecting the system.
