Security researchers discovered that Adobe Acrobat might actively try to block antivirus software from scanning PDF files for malicious activity.
Minerva Labs security researcher Natalie Zargarov wrote in a blog post this week that this functionality could be “potentially catastrophic” as it poses a massive security risk.
The security company said attackers could exploit PDFs by altering a file’s “OpenAction” section to execute PowerShell commands, exposing a system to malware.
“When a security product is not injected into a process, this basically disables any visibility it may have on the process and hinders detection and prevention capabilities inside the process and inside every created child process,” Zargarov warned.
Security tools scan for malware and other suspicious activity by injecting dynamic-link libraries (DLLs) into software launched on a device.
“Since March of 2022, we’ve seen a gradual uptick in Adobe Acrobat Reader processes attempting to query which security product DLLs are loaded into it by acquiring a handle of the DLL,” said Zargarov.
“The requests originated from libcef.dll (a Chromium Embedded Framework (CEF) Dynamic Link Library which is used by many programs), which was indeed updated in March 2022,” she explained.
“The basic documentation for the Chromium DLL contains a short list of DLLs that have been blacklisted by them for causing conflictions.”
The security company explained vendors could edit this list to add more DLLs.
“The hard-coded DLL list in the Adobe libcef.dll version we checked had been edited and was surprisingly longer,” Zargarov reported.
The extended list included the DLLs of 30 security products, including Avast, AVG, BitDefender, ESET, Kaspersky, McAfee, and Malwarebytes.
Minerva Labs explained that Adobe Reader uses a registry key to determine if it has to check for the injected DLLs.
“The registry key is created in the first run of Adobe Reader and is set by default to ‘0’,” Zargarov said.
If the value is set to ‘1’, Adobe actively blocks antivirus processes from checking PDF files.
According to Minerva Labs, the value is sometimes set to ‘1’ by default.
“The default value, we assume, is affected by the endpoint environment, version of Acrobat, and other local environmental properties.”.
Zargarov added that since the key is accessible and editable by the user, anyone can change it.
Adobe told BleepingComputer that it is working with the relevant vendors to address the problem.