Adobe patch bypass found

The fix released last week has not entirely solved the flaws in Adobe Reader.

Adobe logo

A workaround for the latest Adobe patch has been discovered by researchers, meaning its Reader product is still vulnerable to attacks.

Didier Stevens, a security researcher from Belgium, was the first to find the flaw in Adobe Reader back in March, which enabled hackers to take over machines and easily run malware.

In his latest blog post, Stevens has claimed the patch released by Adobe last Tuesday, which aimed to fix 17 vulnerabilities overall, still did not fully protect a user from hack attacks.

"I did some research and discovered that Adobe implemented a blacklist of extensions for the launch action, but that the blacklisting functionality identifies the file type of "cmd.exe" as .exe", and not .exe," he wrote.

This means by simply including double quote marks around a file name, hackers are still able to get a PDF to run malware.

Stevens has raised the issue discovered by another researcher, Le Mahn Tung with Adobe and the company has admitted its blacklisting technique was not ideal.

"While blacklist capabilities alone are not a perfect solution to defend against those with malicious intent this option reduces the risk of attack, while minimising the impact on customers relying on workflows that depend on the launch functionality," wrote Brad Arkin on the Adobe Secure Software Engineering Team blog.

"We will evaluate this workaround to determine whether additional changes to the blacklist are required."

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

DeviceSHIELD combats rising cyber attacks and online fraud amid COVID-19
Security

DeviceSHIELD combats rising cyber attacks and online fraud amid COVID-19

24 Nov 2020
350,000 Spotify users hacked in credential stuffing attack
Security

350,000 Spotify users hacked in credential stuffing attack

24 Nov 2020
WAPDropper malware hooks you up to premium telecoms services
Security

WAPDropper malware hooks you up to premium telecoms services

24 Nov 2020
VMware sounds alarm over zero-day flaws in multiple products
Security

VMware sounds alarm over zero-day flaws in multiple products

24 Nov 2020

Most Popular

macOS Big Sur is bricking some older MacBooks
operating systems

macOS Big Sur is bricking some older MacBooks

16 Nov 2020
46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020
How computing has revolutionised Formula 1
Sponsored

How computing has revolutionised Formula 1

11 Nov 2020