Adobe Acrobat poses a security risk to consumers by attempting to prevent security software from viewing the PDF files it opens, according to security researchers.
In order to prevent them from monitoring for malicious activities, Adobe’s solution checks to see if components from 30 security products are loaded into its processes and probably stops them.
Making mismatched AVs visible
Injecting dynamic-link libraries (DLLs) into software programs that are launching on the machine gives security tools the insight they need into all processes running on the system.
Malware has been used in the past to launch from PDF files onto the system. The researchers at cybersecurity firm Minerva Labs describe one way to run PowerShell instructions for malicious activities as adding a command to the document’s ‘OpenAction’ section.
The number of Adobe Acrobat Reader processes seeking to determine which security product DLLs are loaded into them by obtaining a handle of the DLL has gradually increased since March 2022. The Minerva Labs
This week, a report claimed that 30 DLLs from security solutions from various vendors have been added to the list. Bitdefender, Avast, Trend Micro, Symantec, Malwarebytes, ESET, Kaspersky, F-Secure, Sophos, and Emsisoft are a few of the more well-known brands among customers.
A dynamic link library called “libcef.dll,” which is a part of the Chromium Embedded Framework (CEF) and is used by a wide range of apps, is used to query the system.
Vendors utilizing the Chromium DLL can alter it and include whatever DLL they wish, despite the fact that it comes with a limited list of components that should be blacklisted since they cause conflicts.
According to the researchers, “libcef.dll is loaded by two Adobe processes: AcroCEF.exe and RdrCEF.exe,” which means that both software programs are searching the system for parts of the same security software.
Minerva Labs discovered that when DLLs are injected into Adobe processes, Adobe checks to see if the value bBlockDllInjection under the registry entry “SOFTWAREAdobeAdobe AcrobatDCDLLInjection” is set to 1. If so, it will stop processes from being injected with DLLs from antivirus software.
It is important to know that the registry key’s value is always ‘0’ when Adobe Reader starts up and that it can be changed at any moment.
“Based on the cef documentation and the registry key name dBlockDllInjection, we may infer that the blacklisted DLLs are intended to be unloaded.” the Minerva Labs
The registry key’s default value is set to “1,” which denotes active blocking, according to Natalie Zargarov, a researcher with Minerva Labs. The operating system or the version of Adobe Acrobat that is installed, as well as other factors on the system, may have an impact on this option.
On March 28, a customer complained on the Citrix forums about Sophos AV issues caused by having an installed Adobe software. The user claimed that the business “recommended to stop DLL-injection for Acrobat and Reader.”
Tackling the issue
In a response to BleepingComputer, Adobe acknowledged that users had reported experiencing problems because some security software’s DLL components weren’t compatible with Adobe Acrobat’s use of the CEF library.
We are aware of concerns that some DLLs from security products may create stability problems because Adobe Acrobat uses the Chromium-based CEF engine, which has a constrained sandbox design. – Adobe
The business continued, “To ensure correct operation with Acrobat’s CEF sandbox design moving forward,” it said it is currently collaborating with these vendors to address the issue.
Researchers from Minerva Labs contend that Adobe made a decision that fixes compatibility issues but creates a genuine attack risk by blocking security applications from defending the system.
When we obtain more information, we will update the article. BleepingComputer has contacted Adobe with more inquiries to clarify the circumstances under which the DLL blocking happens.
